diff options
Diffstat (limited to 'docs/manpages/smb.conf.5')
| -rw-r--r-- | docs/manpages/smb.conf.5 | 9869 |
1 files changed, 7201 insertions, 2668 deletions
diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index 933d71ff0c..32a40d2609 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -1,2719 +1,7252 @@ -.TH SMB.CONF 5 11/10/94 smb.conf smb.conf +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMB.CONF" "5" "01 April 2002" "" "" .SH NAME -smb.conf \- configuration file for smbd -.SH SYNOPSIS -.B smb.conf -.SH DESCRIPTION -The -.B smb.conf -file is a configuration file for the Samba suite. - -.B smb.conf -contains runtime configuration information for the -.B smbd -program. The -.B smbd -program provides LanManager-like services to clients -using the SMB protocol. - -.SH FILE FORMAT -The file consists of sections and parameters. A section begins with the -name of the section in square brackets and continues until the next -section begins. Sections contain parameters of the form 'name = value'. - -The file is line-based - that is, each newline-terminated line represents -either a comment, a section name or a parameter. - +smb.conf \- The configuration file for the Samba suite +.SH "SYNOPSIS" +.PP +The \fIsmb.conf\fR file is a configuration +file for the Samba suite. \fIsmb.conf\fR contains +runtime configuration information for the Samba programs. The +\fIsmb.conf\fR file is designed to be configured and +administered by the \fBswat(8)\fR +program. The complete description of the file format and +possible parameters held within are here for reference purposes. +.SH "FILE FORMAT" +.PP +The file consists of sections and parameters. A section +begins with the name of the section in square brackets and continues +until the next section begins. Sections contain parameters of the +form +.PP +\fIname\fR = \fIvalue +\fR.PP +The file is line-based - that is, each newline-terminated +line represents either a comment, a section name or a parameter. +.PP Section and parameter names are not case sensitive. - -Only the first equals sign in a parameter is significant. Whitespace before -or after the first equals sign is discarded. Leading, trailing and internal -whitespace in section and parameter names is irrelevant. Leading and -trailing whitespace in a parameter value is discarded. Internal whitespace -within a parameter value is retained verbatim. - -Any line beginning with a semicolon is ignored, as are lines containing -only whitespace. - -Any line ending in a \\ is "continued" on the next line in the -customary unix fashion. - -The values following the equals sign in parameters are all either a string -(no quotes needed) or a boolean, which may be given as yes/no, 0/1 or -true/false. Case is not significant in boolean values, but is preserved -in string values. Some items such as create modes are numeric. -.SH SERVICE DESCRIPTIONS -Each section in the configuration file describes a service. The section name -is the service name and the parameters within the section define the service's -attributes. - -There are three special sections, [global], [homes] and [printers], which are -described under 'special sections'. The following notes apply to ordinary -service descriptions. - -A service consists of a directory to which access is being given plus a -description of the access rights which are granted to the user of the -service. Some housekeeping options are also specifiable. - -Services are either filespace services (used by the client as an extension of -their native file systems) or printable services (used by the client to access -print services on the host running the server). - -Services may be guest services, in which case no password is required to -access them. A specified guest account is used to define access privileges -in this case. - -Services other than guest services will require a password to access -them. The client provides the username. As many clients only provide -passwords and not usernames, you may specify a list of usernames to -check against the password using the "user=" option in the service -definition. - -Note that the access rights granted by the server are masked by the access -rights granted to the specified or guest user by the host system. The -server does not grant more access than the host system grants. - -The following sample section defines a file space service. The user has write -access to the path /home/bar. The service is accessed via the service name -"foo": - - [foo] +.PP +Only the first equals sign in a parameter is significant. +Whitespace before or after the first equals sign is discarded. +Leading, trailing and internal whitespace in section and parameter +names is irrelevant. Leading and trailing whitespace in a parameter +value is discarded. Internal whitespace within a parameter value +is retained verbatim. +.PP +Any line beginning with a semicolon (';') or a hash ('#') +character is ignored, as are lines containing only whitespace. +.PP +Any line ending in a '\\' is continued +on the next line in the customary UNIX fashion. +.PP +The values following the equals sign in parameters are all +either a string (no quotes needed) or a boolean, which may be given +as yes/no, 0/1 or true/false. Case is not significant in boolean +values, but is preserved in string values. Some items such as +create modes are numeric. +.SH "SECTION DESCRIPTIONS" +.PP +Each section in the configuration file (except for the +[global] section) describes a shared resource (known +as a "share"). The section name is the name of the +shared resource and the parameters within the section define +the shares attributes. +.PP +There are three special sections, [global], +[homes] and [printers], which are +described under \fBspecial sections\fR. The +following notes apply to ordinary section descriptions. +.PP +A share consists of a directory to which access is being +given plus a description of the access rights which are granted +to the user of the service. Some housekeeping options are +also specifiable. +.PP +Sections are either file share services (used by the +client as an extension of their native file systems) or +printable services (used by the client to access print services +on the host running the server). +.PP +Sections may be designated \fBguest\fR services, +in which case no password is required to access them. A specified +UNIX \fBguest account\fR is used to define access +privileges in this case. +.PP +Sections other than guest services will require a password +to access them. The client provides the username. As older clients +only provide passwords and not usernames, you may specify a list +of usernames to check against the password using the "user =" +option in the share definition. For modern clients such as +Windows 95/98/ME/NT/2000, this should not be necessary. +.PP +Note that the access rights granted by the server are +masked by the access rights granted to the specified or guest +UNIX user by the host system. The server does not grant more +access than the host system grants. +.PP +The following sample section defines a file space share. +The user has write access to the path \fI/home/bar\fR. +The share is accessed via the share name "foo": +.sp +.nf + [foo] path = /home/bar - writable = true - -The following sample section defines a printable service. The service is -readonly, but printable. That is, the only write access permitted is via -calls to open, write to and close a spool file. The 'guest ok' parameter -means access will be permitted as the default guest user (specified elsewhere): - - [aprinter] + writeable = true + + +.sp +.fi +.PP +The following sample section defines a printable share. +The share is readonly, but printable. That is, the only write +access permitted is via calls to open, write to and close a +spool file. The \fBguest ok\fR parameter means +access will be permitted as the default guest user (specified +elsewhere): +.sp +.nf + [aprinter] path = /usr/spool/public - read only = true + writeable = false printable = true - public = true - -.SH SPECIAL SECTIONS - -.SS The [global] section -.RS 3 -Parameters in this section apply to the server as a whole, or are defaults -for services which do not specifically define certain items. See the notes -under 'Parameters' for more information. -.RE - -.SS The [homes] section -.RS 3 -If a section called 'homes' is included in the configuration file, services -connecting clients to their home directories can be created on the fly by the -server. - -When the connection request is made, the existing services are scanned. If a -match is found, it is used. If no match is found, the requested service name is -treated as a user name and looked up in the local passwords file. If the -name exists and the correct password has been given, a service is created -by cloning the [homes] section. - -Some modifications are then made to the newly created section: - -.RS 3 -The service name is changed from 'homes' to the located username - -If no path was given, the path is set to the user's home directory. -.RE - -If you decide to use a path= line in your [homes] section then you may -find it useful to use the %S macro. For example path=/data/pchome/%S -would be useful if you have different home directories for your PCs -than for unix access. - -This is a fast and simple way to give a large number of clients access to -their home directories with a minimum of fuss. - -A similar process occurs if the requested service name is "homes", except that -the service name is not changed to that of the requesting user. This method -of using the [homes] section works well if different users share a client PC. - -The [homes] section can specify all the parameters a normal service section -can specify, though some make more sense than others. The following is a -typical and suitable [homes] section: - - [homes] - writable = yes - -An important point: - -.RS 3 -If guest access is specified in the [homes] section, all home directories will -be accessible to all clients -.B without a password. -In the very unlikely event -that this is actually desirable, it would be wise to also specify read only -access. + guest ok = true + + +.sp +.fi +.SH "SPECIAL SECTIONS" +.SS "THE GLOBAL SECTION" +.PP +parameters in this section apply to the server +as a whole, or are defaults for sections which do not +specifically define certain items. See the notes +under PARAMETERS for more information. +.SS "THE HOMES SECTION" +.PP +If a section called homes is included in the +configuration file, services connecting clients to their +home directories can be created on the fly by the server. +.PP +When the connection request is made, the existing +sections are scanned. If a match is found, it is used. If no +match is found, the requested section name is treated as a +user name and looked up in the local password file. If the +name exists and the correct password has been given, a share is +created by cloning the [homes] section. +.PP +Some modifications are then made to the newly +created share: +.TP 0.2i +\(bu +The share name is changed from homes to +the located username. +.TP 0.2i +\(bu +If no path was given, the path is set to +the user's home directory. +.PP +If you decide to use a \fBpath =\fR line +in your [homes] section then you may find it useful +to use the %S macro. For example : +.PP +.PP +\fBpath = /data/pchome/%S\fR +.PP +.PP +would be useful if you have different home directories +for your PCs than for UNIX access. +.PP +.PP +This is a fast and simple way to give a large number +of clients access to their home directories with a minimum +of fuss. +.PP +.PP +A similar process occurs if the requested section +name is "homes", except that the share name is not +changed to that of the requesting user. This method of using +the [homes] section works well if different users share +a client PC. +.PP +.PP +The [homes] section can specify all the parameters +a normal service section can specify, though some make more sense +than others. The following is a typical and suitable [homes] +section: +.PP +.sp +.nf + [homes] + writeable = yes + + +.sp +.fi +.PP +An important point is that if guest access is specified +in the [homes] section, all home directories will be +visible to all clients \fBwithout a password\fR. +In the very unlikely event that this is actually desirable, it +would be wise to also specify \fBread only +access\fR. +.PP +.PP +Note that the \fBbrowseable\fR flag for +auto home directories will be inherited from the global browseable +flag, not the [homes] browseable flag. This is useful as +it means setting \fBbrowseable = no\fR in +the [homes] section will hide the [homes] share but make +any auto home directories visible. +.PP +.SS "THE PRINTERS SECTION" +.PP +This section works like [homes], +but for printers. +.PP +If a [printers] section occurs in the +configuration file, users are able to connect to any printer +specified in the local host's printcap file. +.PP +When a connection request is made, the existing sections +are scanned. If a match is found, it is used. If no match is found, +but a [homes] section exists, it is used as described +above. Otherwise, the requested section name is treated as a +printer name and the appropriate printcap file is scanned to see +if the requested section name is a valid printer share name. If +a match is found, a new printer share is created by cloning +the [printers] section. +.PP +A few modifications are then made to the newly created +share: +.TP 0.2i +\(bu +The share name is set to the located printer +name +.TP 0.2i +\(bu +If no printer name was given, the printer name +is set to the located printer name +.TP 0.2i +\(bu +If the share does not permit guest access and +no username was given, the username is set to the located +printer name. +.PP +Note that the [printers] service MUST be +printable - if you specify otherwise, the server will refuse +to load the configuration file. +.PP +.PP +Typically the path specified would be that of a +world-writeable spool directory with the sticky bit set on +it. A typical [printers] entry would look like +this: +.PP +.sp +.nf + [printers] + path = /usr/spool/public + guest ok = yes + printable = yes + +.sp +.fi +.PP +All aliases given for a printer in the printcap file +are legitimate printer names as far as the server is concerned. +If your printing subsystem doesn't work like that, you will have +to set up a pseudo-printcap. This is a file consisting of one or +more lines like this: +.PP +.sp +.nf + alias|alias|alias|alias... + + +.sp +.fi +.PP +Each alias should be an acceptable printer name for +your printing subsystem. In the [global] section, specify +the new file as your printcap. The server will then only recognize +names found in your pseudo-printcap, which of course can contain +whatever aliases you like. The same technique could be used +simply to limit access to a subset of your local printers. +.PP +.PP +An alias, by the way, is defined as any component of the +first entry of a printcap record. Records are separated by newlines, +components (if there are more than one) are separated by vertical +bar symbols ('|'). +.PP +.PP +NOTE: On SYSV systems which use lpstat to determine what +printers are defined on the system you may be able to use +"printcap name = lpstat" to automatically obtain a list +of printers. See the "printcap name" option +for more details. +.PP +.SH "PARAMETERS" +.PP +parameters define the specific attributes of sections. +.PP +Some parameters are specific to the [global] section +(e.g., \fBsecurity\fR). Some parameters are usable +in all sections (e.g., \fBcreate mode\fR). All others +are permissible only in normal sections. For the purposes of the +following descriptions the [homes] and [printers] +sections will be considered normal. The letter \fBG\fR +in parentheses indicates that a parameter is specific to the +[global] section. The letter \fBS\fR +indicates that a parameter can be specified in a service specific +section. Note that all \fBS\fR parameters can also be specified in +the [global] section - in which case they will define +the default behavior for all services. +.PP +parameters are arranged here in alphabetical order - this may +not create best bedfellows, but at least you can find them! Where +there are synonyms, the preferred synonym is described, others refer +to the preferred synonym. +.SH "VARIABLE SUBSTITUTIONS" +.PP +Many of the strings that are settable in the config file +can take substitutions. For example the option "path = +/tmp/%u" would be interpreted as "path = +/tmp/john" if the user connected with the username john. +.PP +These substitutions are mostly noted in the descriptions below, +but there are some general substitutions which apply whenever they +might be relevant. These are: +.TP +\fB%S\fR +the name of the current service, if any. +.TP +\fB%P\fR +the root directory of the current service, +if any. +.TP +\fB%u\fR +user name of the current service, if any. +.TP +\fB%g\fR +primary group name of %u. +.TP +\fB%U\fR +session user name (the user name that the client +wanted, not necessarily the same as the one they got). +.TP +\fB%G\fR +primary group name of %U. +.TP +\fB%H\fR +the home directory of the user given +by %u. +.TP +\fB%v\fR +the Samba version. +.TP +\fB%h\fR +the Internet hostname that Samba is running +on. +.TP +\fB%m\fR +the NetBIOS name of the client machine +(very useful). +.TP +\fB%L\fR +the NetBIOS name of the server. This allows you +to change your config based on what the client calls you. Your +server can have a "dual personality". + +Note that this paramater is not available when Samba listens +on port 445, as clients no longer send this information +.TP +\fB%M\fR +the Internet name of the client machine. +.TP +\fB%N\fR +the name of your NIS home directory server. +This is obtained from your NIS auto.map entry. If you have +not compiled Samba with the \fB--with-automount\fR +option then this value will be the same as %L. +.TP +\fB%p\fR +the path of the service's home directory, +obtained from your NIS auto.map entry. The NIS auto.map entry +is split up as "%N:%p". +.TP +\fB%R\fR +the selected protocol level after +protocol negotiation. It can be one of CORE, COREPLUS, +LANMAN1, LANMAN2 or NT1. +.TP +\fB%d\fR +The process id of the current server +process. +.TP +\fB%a\fR +the architecture of the remote +machine. Only some are recognized, and those may not be +100% reliable. It currently recognizes Samba, WfWg, Win95, +WinNT and Win2k. Anything else will be known as +"UNKNOWN". If it gets it wrong then sending a level +3 log to samba@samba.org + <URL:mailto:samba@samba.org> should allow it to be fixed. +.TP +\fB%I\fR +The IP address of the client machine. +.TP +\fB%T\fR +the current date and time. +.TP +\fB%$(\fIenvvar\fB)\fR +The value of the environment variable +\fIenvar\fR. +.PP +There are some quite creative things that can be done +with these substitutions and other smb.conf options. +.PP +.SH "NAME MANGLING" +.PP +Samba supports "name mangling" so that DOS and +Windows clients can use files that don't conform to the 8.3 format. +It can also be set to adjust the case of 8.3 format filenames. +.PP +There are several options that control the way mangling is +performed, and they are grouped here rather than listed separately. +For the defaults look at the output of the testparm program. +.PP +All of these options can be set separately for each service +(or globally, of course). +.PP +The options are: +.TP +\fBmangle case = yes/no\fR +controls if names that have characters that +aren't of the "default" case are mangled. For example, +if this is yes then a name like "Mail" would be mangled. +Default \fBno\fR. +.TP +\fBcase sensitive = yes/no\fR +controls whether filenames are case sensitive. If +they aren't then Samba must do a filename search and match on passed +names. Default \fBno\fR. +.TP +\fBdefault case = upper/lower\fR +controls what the default case is for new +filenames. Default \fBlower\fR. +.TP +\fBpreserve case = yes/no\fR +controls if new files are created with the +case that the client passes, or if they are forced to be the +"default" case. Default \fByes\fR. +.TP +\fBshort preserve case = yes/no\fR +controls if new files which conform to 8.3 syntax, +that is all in upper case and of suitable length, are created +upper case, or if they are forced to be the "default" +case. This option can be use with "preserve case = yes" +to permit long filenames to retain their case, while short names +are lowercased. Default \fByes\fR. +.PP +By default, Samba 2.2 has the same semantics as a Windows +NT server, in that it is case insensitive but case preserving. +.PP +.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION" +.PP +There are a number of ways in which a user can connect +to a service. The server uses the following steps in determining +if it will allow a connection to a specified service. If all the +steps fail, then the connection request is rejected. However, if one of the +steps succeeds, then the following steps are not checked. +.PP +If the service is marked "guest only = yes" then +steps 1 to 5 are skipped. +.IP 1. +If the client has passed a username/password +pair and that username/password pair is validated by the UNIX +system's password programs then the connection is made as that +username. Note that this includes the +\\\\server\\service%\fIusername\fR method of passing +a username. +.IP 2. +If the client has previously registered a username +with the system and now supplies a correct password for that +username then the connection is allowed. +.IP 3. +The client's NetBIOS name and any previously +used user names are checked against the supplied password, if +they match then the connection is allowed as the corresponding +user. +.IP 4. +If the client has previously validated a +username/password pair with the server and the client has passed +the validation token then that username is used. +.IP 5. +If a "user = " field is given in the +\fIsmb.conf\fR file for the service and the client +has supplied a password, and that password matches (according to +the UNIX system's password checking) with one of the usernames +from the "user =" field then the connection is made as +the username in the "user =" line. If one +of the username in the "user =" list begins with a +\&'@' then that name expands to a list of names in +the group of the same name. +.IP 6. +If the service is a guest service then a +connection is made as the username given in the "guest +account =" for the service, irrespective of the +supplied password. +.SH "COMPLETE LIST OF GLOBAL PARAMETERS" +.PP +Here is a list of all global parameters. See the section of +each parameter for details. Note that some are synonyms. +.TP 0.2i +\(bu +\fIabort shutdown script\fR +.TP 0.2i +\(bu +\fIadd printer command\fR +.TP 0.2i +\(bu +\fIadd share command\fR +.TP 0.2i +\(bu +\fIadd user script\fR +.TP 0.2i +\(bu +\fIadd machine script\fR +.TP 0.2i +\(bu +\fIallow trusted domains\fR +.TP 0.2i +\(bu +\fIannounce as\fR +.TP 0.2i +\(bu +\fIannounce version\fR +.TP 0.2i +\(bu +\fIauth methods\fR +.TP 0.2i +\(bu +\fIauto services\fR +.TP 0.2i +\(bu +\fIbind interfaces only\fR +.TP 0.2i +\(bu +\fIbrowse list\fR +.TP 0.2i +\(bu +\fIchange notify timeout\fR +.TP 0.2i +\(bu +\fIchange share command\fR +.TP 0.2i +\(bu +\fIconfig file\fR +.TP 0.2i +\(bu +\fIdeadtime\fR +.TP 0.2i +\(bu +\fIdebug hires timestamp\fR +.TP 0.2i +\(bu +\fIdebug pid\fR +.TP 0.2i +\(bu +\fIdebug timestamp\fR +.TP 0.2i +\(bu +\fIdebug uid\fR +.TP 0.2i +\(bu +\fIdebuglevel\fR +.TP 0.2i +\(bu +\fIdefault\fR +.TP 0.2i +\(bu +\fIdefault service\fR +.TP 0.2i +\(bu +\fIdelete printer command\fR +.TP 0.2i +\(bu +\fIdelete share command\fR +.TP 0.2i +\(bu +\fIdelete user script\fR +.TP 0.2i +\(bu +\fIdfree command\fR +.TP 0.2i +\(bu +\fIdisable spoolss\fR +.TP 0.2i +\(bu +\fIdns proxy\fR +.TP 0.2i +\(bu +\fIdomain admin group\fR +.TP 0.2i +\(bu +\fIdomain guest group\fR +.TP 0.2i +\(bu +\fIdomain logons\fR +.TP 0.2i +\(bu +\fIdomain master\fR +.TP 0.2i +\(bu +\fIencrypt passwords\fR +.TP 0.2i +\(bu +\fIenhanced browsing\fR +.TP 0.2i +\(bu +\fIenumports command\fR +.TP 0.2i +\(bu +\fIgetwd cache\fR +.TP 0.2i +\(bu +\fIhide local users\fR +.TP 0.2i +\(bu +\fIhide unreadable\fR +.TP 0.2i +\(bu +\fIhomedir map\fR +.TP 0.2i +\(bu +\fIhost msdfs\fR +.TP 0.2i +\(bu +\fIhosts equiv\fR +.TP 0.2i +\(bu +\fIinterfaces\fR +.TP 0.2i +\(bu +\fIkeepalive\fR +.TP 0.2i +\(bu +\fIkernel oplocks\fR +.TP 0.2i +\(bu +\fIlanman auth\fR +.TP 0.2i +\(bu +\fIlarge readwrite\fR +.TP 0.2i +\(bu +\fIldap admin dn\fR +.TP 0.2i +\(bu +\fIldap filter\fR +.TP 0.2i +\(bu +\fIldap port\fR +.TP 0.2i +\(bu +\fIldap server\fR +.TP 0.2i +\(bu +\fIldap ssl\fR +.TP 0.2i +\(bu +\fIldap suffix\fR +.TP 0.2i +\(bu +\fIlm announce\fR +.TP 0.2i +\(bu +\fIlm interval\fR +.TP 0.2i +\(bu +\fIload printers\fR +.TP 0.2i +\(bu +\fIlocal master\fR +.TP 0.2i +\(bu +\fIlock dir\fR +.TP 0.2i +\(bu +\fIlock directory\fR +.TP 0.2i +\(bu +\fIlog file\fR +.TP 0.2i +\(bu +\fIlog level\fR +.TP 0.2i +\(bu +\fIlogon drive\fR +.TP 0.2i +\(bu +\fIlogon home\fR +.TP 0.2i +\(bu +\fIlogon path\fR +.TP 0.2i +\(bu +\fIlogon script\fR +.TP 0.2i +\(bu +\fIlpq cache time\fR +.TP 0.2i +\(bu +\fImachine password timeout\fR +.TP 0.2i +\(bu +\fImangled stack\fR +.TP 0.2i +\(bu +\fImap to guest\fR +.TP 0.2i +\(bu +\fImax disk size\fR +.TP 0.2i +\(bu +\fImax log size\fR +.TP 0.2i +\(bu +\fImax mux\fR +.TP 0.2i +\(bu +\fImax open files\fR +.TP 0.2i +\(bu +\fImax protocol\fR +.TP 0.2i +\(bu +\fImax smbd processes\fR +.TP 0.2i +\(bu +\fImax ttl\fR +.TP 0.2i +\(bu +\fImax wins ttl\fR +.TP 0.2i +\(bu +\fImax xmit\fR +.TP 0.2i +\(bu +\fImessage command\fR +.TP 0.2i +\(bu +\fImin passwd length\fR +.TP 0.2i +\(bu +\fImin password length\fR +.TP 0.2i +\(bu +\fImin protocol\fR +.TP 0.2i +\(bu +\fImin wins ttl\fR +.TP 0.2i +\(bu +\fIname resolve order\fR +.TP 0.2i +\(bu +\fInetbios aliases\fR +.TP 0.2i +\(bu +\fInetbios name\fR +.TP 0.2i +\(bu +\fInetbios scope\fR +.TP 0.2i +\(bu +\fInis homedir\fR +.TP 0.2i +\(bu +\fInon unix account range\fR +.TP 0.2i +\(bu +\fInt pipe support\fR +.TP 0.2i +\(bu +\fInull passwords\fR +.TP 0.2i +\(bu +\fIobey pam restrictions\fR +.TP 0.2i +\(bu +\fIoplock break wait time\fR +.TP 0.2i +\(bu +\fIos level\fR +.TP 0.2i +\(bu +\fIos2 driver map\fR +.TP 0.2i +\(bu +\fIpam password change\fR +.TP 0.2i +\(bu +\fIpanic action\fR +.TP 0.2i +\(bu +\fIpassdb backend\fR +.TP 0.2i +\(bu +\fIpasswd chat\fR +.TP 0.2i +\(bu +\fIpasswd chat debug\fR +.TP 0.2i +\(bu +\fIpasswd program\fR +.TP 0.2i +\(bu +\fIpassword level\fR +.TP 0.2i +\(bu +\fIpassword server\fR +.TP 0.2i +\(bu +\fIprefered master\fR +.TP 0.2i +\(bu +\fIpreferred master\fR +.TP 0.2i +\(bu +\fIpreload\fR +.TP 0.2i +\(bu +\fIprintcap\fR +.TP 0.2i +\(bu +\fIprintcap name\fR +.TP 0.2i +\(bu +\fIprinter driver file\fR +.TP 0.2i +\(bu +\fIprivate dir\fR +.TP 0.2i +\(bu +\fIprotocol\fR +.TP 0.2i +\(bu +\fIread bmpx\fR +.TP 0.2i +\(bu +\fIread raw\fR +.TP 0.2i +\(bu +\fIread size\fR +.TP 0.2i +\(bu +\fIremote announce\fR +.TP 0.2i +\(bu +\fIremote browse sync\fR +.TP 0.2i +\(bu +\fIrestrict anonymous\fR +.TP 0.2i +\(bu +\fIroot\fR +.TP 0.2i +\(bu +\fIroot dir\fR +.TP 0.2i +\(bu +\fIroot directory\fR +.TP 0.2i +\(bu +\fIsecurity\fR +.TP 0.2i +\(bu +\fIserver string\fR +.TP 0.2i +\(bu +\fIshow add printer wizard\fR +.TP 0.2i +\(bu +\fIshutdown script\fR +.TP 0.2i +\(bu +\fIsmb passwd file\fR +.TP 0.2i +\(bu +\fIsocket address\fR +.TP 0.2i +\(bu +\fIsocket options\fR +.TP 0.2i +\(bu +\fIsource environment\fR +.TP 0.2i +\(bu +\fIssl\fR +.TP 0.2i +\(bu +\fIssl CA certDir\fR +.TP 0.2i +\(bu +\fIssl CA certFile\fR +.TP 0.2i +\(bu +\fIssl ciphers\fR +.TP 0.2i +\(bu +\fIssl client cert\fR +.TP 0.2i +\(bu +\fIssl client key\fR +.TP 0.2i +\(bu +\fIssl compatibility\fR +.TP 0.2i +\(bu +\fIssl egd socket\fR +.TP 0.2i +\(bu +\fIssl entropy bytes\fR +.TP 0.2i +\(bu +\fIssl entropy file\fR +.TP 0.2i +\(bu +\fIssl hosts\fR +.TP 0.2i +\(bu +\fIssl hosts resign\fR +.TP 0.2i +\(bu +\fIssl require clientcert\fR +.TP 0.2i +\(bu +\fIssl require servercert\fR +.TP 0.2i +\(bu +\fIssl server cert\fR +.TP 0.2i +\(bu +\fIssl server key\fR +.TP 0.2i +\(bu +\fIssl version\fR +.TP 0.2i +\(bu +\fIstat cache\fR +.TP 0.2i +\(bu +\fIstat cache size\fR +.TP 0.2i +\(bu +\fIstrip dot\fR +.TP 0.2i +\(bu +\fIsyslog\fR +.TP 0.2i +\(bu +\fIsyslog only\fR +.TP 0.2i +\(bu +\fItemplate homedir\fR +.TP 0.2i +\(bu +\fItemplate shell\fR +.TP 0.2i +\(bu +\fItime offset\fR +.TP 0.2i +\(bu +\fItime server\fR +.TP 0.2i +\(bu +\fItimestamp logs\fR +.TP 0.2i +\(bu +\fItotal print jobs\fR +.TP 0.2i +\(bu +\fIunix extensions\fR +.TP 0.2i +\(bu +\fIunix password sync\fR +.TP 0.2i +\(bu +\fIupdate encrypted\fR +.TP 0.2i +\(bu +\fIuse mmap\fR +.TP 0.2i +\(bu +\fIuse rhosts\fR +.TP 0.2i +\(bu +\fIusername level\fR +.TP 0.2i +\(bu +\fIusername map\fR +.TP 0.2i +\(bu +\fIutmp\fR +.TP 0.2i +\(bu +\fIutmp directory\fR +.TP 0.2i +\(bu +\fIwinbind cache time\fR +.TP 0.2i +\(bu +\fIwinbind enum users\fR +.TP 0.2i +\(bu +\fIwinbind enum groups\fR +.TP 0.2i +\(bu +\fIwinbind gid\fR +.TP 0.2i +\(bu +\fIwinbind separator\fR +.TP 0.2i +\(bu +\fIwinbind uid\fR +.TP 0.2i +\(bu +\fIwinbind use default domain\fR +.TP 0.2i +\(bu +\fIwins hook\fR +.TP 0.2i +\(bu +\fIwins proxy\fR +.TP 0.2i +\(bu +\fIwins server\fR +.TP 0.2i +\(bu +\fIwins support\fR +.TP 0.2i +\(bu +\fIworkgroup\fR +.TP 0.2i +\(bu +\fIwrite raw\fR +.SH "COMPLETE LIST OF SERVICE PARAMETERS" +.PP +Here is a list of all service parameters. See the section on +each parameter for details. Note that some are synonyms. +.TP 0.2i +\(bu +\fIadmin users\fR +.TP 0.2i +\(bu +\fIallow hosts\fR +.TP 0.2i +\(bu +\fIavailable\fR +.TP 0.2i +\(bu +\fIblocking locks\fR +.TP 0.2i +\(bu +\fIbrowsable\fR +.TP 0.2i +\(bu +\fIbrowseable\fR +.TP 0.2i +\(bu +\fIcase sensitive\fR +.TP 0.2i +\(bu +\fIcasesignames\fR +.TP 0.2i +\(bu +\fIcomment\fR +.TP 0.2i +\(bu +\fIcopy\fR +.TP 0.2i +\(bu +\fIcreate mask\fR +.TP 0.2i +\(bu +\fIcreate mode\fR +.TP 0.2i +\(bu +\fIdefault case\fR +.TP 0.2i +\(bu +\fIdefault devmode\fR +.TP 0.2i +\(bu +\fIdelete readonly\fR +.TP 0.2i +\(bu +\fIdelete veto files\fR +.TP 0.2i +\(bu +\fIdeny hosts\fR +.TP 0.2i +\(bu +\fIdirectory\fR +.TP 0.2i +\(bu +\fIdirectory mask\fR +.TP 0.2i +\(bu +\fIdirectory mode\fR +.TP 0.2i +\(bu +\fIdirectory security mask\fR +.TP 0.2i +\(bu +\fIdont descend\fR +.TP 0.2i +\(bu +\fIdos filemode\fR +.TP 0.2i +\(bu +\fIdos filetime resolution\fR +.TP 0.2i +\(bu +\fIdos filetimes\fR +.TP 0.2i +\(bu +\fIexec\fR +.TP 0.2i +\(bu +\fIfake directory create times\fR +.TP 0.2i +\(bu +\fIfake oplocks\fR +.TP 0.2i +\(bu +\fIfollow symlinks\fR +.TP 0.2i +\(bu +\fIforce create mode\fR +.TP 0.2i +\(bu +\fIforce directory mode\fR +.TP 0.2i +\(bu +\fIforce directory security mode\fR +.TP 0.2i +\(bu +\fIforce group\fR +.TP 0.2i +\(bu +\fIforce security mode\fR +.TP 0.2i +\(bu +\fIforce user\fR +.TP 0.2i +\(bu +\fIfstype\fR +.TP 0.2i +\(bu +\fIgroup\fR +.TP 0.2i +\(bu +\fIguest account\fR +.TP 0.2i +\(bu +\fIguest ok\fR +.TP 0.2i +\(bu +\fIguest only\fR +.TP 0.2i +\(bu +\fIhide dot files\fR +.TP 0.2i +\(bu +\fIhide files\fR +.TP 0.2i +\(bu +\fIhosts allow\fR +.TP 0.2i +\(bu +\fIhosts deny\fR +.TP 0.2i +\(bu +\fIinclude\fR +.TP 0.2i +\(bu +\fIinherit permissions\fR +.TP 0.2i +\(bu +\fIinvalid users\fR +.TP 0.2i +\(bu +\fIlevel2 oplocks\fR +.TP 0.2i +\(bu +\fIlocking\fR +.TP 0.2i +\(bu +\fIlppause command\fR +.TP 0.2i +\(bu +\fIlpq command\fR +.TP 0.2i +\(bu +\fIlpresume command\fR +.TP 0.2i +\(bu +\fIlprm command\fR +.TP 0.2i +\(bu +\fImagic output\fR +.TP 0.2i +\(bu +\fImagic script\fR +.TP 0.2i +\(bu +\fImangle case\fR +.TP 0.2i +\(bu +\fImangled map\fR +.TP 0.2i +\(bu +\fImangled names\fR +.TP 0.2i +\(bu +\fImangling char\fR +.TP 0.2i +\(bu +\fImap archive\fR +.TP 0.2i +\(bu +\fImap hidden\fR +.TP 0.2i +\(bu +\fImap system\fR +.TP 0.2i +\(bu +\fImax connections\fR +.TP 0.2i +\(bu +\fImax print jobs\fR +.TP 0.2i +\(bu +\fImin print space\fR +.TP 0.2i +\(bu +\fImsdfs root\fR +.TP 0.2i +\(bu +\fInt acl support\fR +.TP 0.2i +\(bu +\fIonly guest\fR +.TP 0.2i +\(bu +\fIonly user\fR +.TP 0.2i +\(bu +\fIoplock contention limit\fR +.TP 0.2i +\(bu +\fIoplocks\fR +.TP 0.2i +\(bu +\fIpath\fR +.TP 0.2i +\(bu +\fIposix locking\fR +.TP 0.2i +\(bu +\fIpostexec\fR +.TP 0.2i +\(bu +\fIpostscript\fR +.TP 0.2i +\(bu +\fIpreexec\fR +.TP 0.2i +\(bu +\fIpreexec close\fR +.TP 0.2i +\(bu +\fIpreserve case\fR +.TP 0.2i +\(bu +\fIprint command\fR +.TP 0.2i +\(bu +\fIprint ok\fR +.TP 0.2i +\(bu +\fIprintable\fR +.TP 0.2i +\(bu +\fIprinter\fR +.TP 0.2i +\(bu +\fIprinter admin\fR +.TP 0.2i +\(bu +\fIprinter driver\fR +.TP 0.2i +\(bu +\fIprinter driver location\fR +.TP 0.2i +\(bu +\fIprinter name\fR +.TP 0.2i +\(bu +\fIprinting\fR +.TP 0.2i +\(bu +\fIpublic\fR +.TP 0.2i +\(bu +\fIqueuepause command\fR +.TP 0.2i +\(bu +\fIqueueresume command\fR +.TP 0.2i +\(bu +\fIread list\fR +.TP 0.2i +\(bu +\fIread only\fR +.TP 0.2i +\(bu +\fIroot postexec\fR +.TP 0.2i +\(bu +\fIroot preexec\fR +.TP 0.2i +\(bu +\fIroot preexec close\fR +.TP 0.2i +\(bu +\fIsecurity mask\fR +.TP 0.2i +\(bu +\fIset directory\fR +.TP 0.2i +\(bu +\fIshort preserve case\fR +.TP 0.2i +\(bu +\fIstatus\fR +.TP 0.2i +\(bu +\fIstrict allocate\fR +.TP 0.2i +\(bu +\fIstrict locking\fR +.TP 0.2i +\(bu +\fIstrict sync\fR +.TP 0.2i +\(bu +\fIsync always\fR +.TP 0.2i +\(bu +\fIuse client driver\fR +.TP 0.2i +\(bu +\fIuser\fR +.TP 0.2i +\(bu +\fIusername\fR +.TP 0.2i +\(bu +\fIusers\fR +.TP 0.2i +\(bu +\fIvalid users\fR +.TP 0.2i +\(bu +\fIveto files\fR +.TP 0.2i +\(bu +\fIveto oplock files\fR +.TP 0.2i +\(bu +\fIvfs object\fR +.TP 0.2i +\(bu +\fIvfs options\fR +.TP 0.2i +\(bu +\fIvolume\fR +.TP 0.2i +\(bu +\fIwide links\fR +.TP 0.2i +\(bu +\fIwritable\fR +.TP 0.2i +\(bu +\fIwrite cache size\fR +.TP 0.2i +\(bu +\fIwrite list\fR +.TP 0.2i +\(bu +\fIwrite ok\fR +.TP 0.2i +\(bu +\fIwriteable\fR +.SH "EXPLANATION OF EACH PARAMETER" +.TP +\fBabort shutdown script (G)\fR +\fBThis parameter only exists in the HEAD cvs branch\fR +This a full path name to a script called by +\fBsmbd(8)\fRthat +should stop a shutdown procedure issued by the \fIshutdown script\fR. + +This command will be run as user. + +Default: \fBNone\fR. + +Example: \fBabort shutdown script = /sbin/shutdown -c\fR +.TP +\fBadd printer command (G)\fR +With the introduction of MS-RPC based printing +support for Windows NT/2000 clients in Samba 2.2, The MS Add +Printer Wizard (APW) icon is now also available in the +"Printers..." folder displayed a share listing. The APW +allows for printers to be add remotely to a Samba or Windows +NT/2000 print server. + +For a Samba host this means that the printer must be +physically added to the underlying printing system. The \fIadd +printer command\fR defines a script to be run which +will perform the necessary operations for adding the printer +to the print system and to add the appropriate service definition +to the \fIsmb.conf\fR file in order that it can be +shared by \fBsmbd(8)\fR +. + +The \fIadd printer command\fR is +automatically invoked with the following parameter (in +order: +.RS +.TP 0.2i +\(bu +\fIprinter name\fR +.TP 0.2i +\(bu +\fIshare name\fR +.TP 0.2i +\(bu +\fIport name\fR +.TP 0.2i +\(bu +\fIdriver name\fR +.TP 0.2i +\(bu +\fIlocation\fR +.TP 0.2i +\(bu +\fIWindows 9x driver location\fR .RE +.PP +All parameters are filled in from the PRINTER_INFO_2 structure sent +by the Windows NT/2000 client with one exception. The "Windows 9x +driver location" parameter is included for backwards compatibility +only. The remaining fields in the structure are generated from answers +to the APW questions. +.PP +.PP +Once the \fIadd printer command\fR has +been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to determine if the share defined by the APW +exists. If the sharename is still invalid, then \fBsmbd +\fRwill return an ACCESS_DENIED error to the client. +.PP +.PP +See also \fI delete printer command\fR, \fIprinting\fR, +\fIshow add +printer wizard\fR +.PP +.PP +Default: \fBnone\fR +.PP +.PP +Example: \fBaddprinter command = /usr/bin/addprinter +\fR.PP +.TP +\fBadd share command (G)\fR +Samba 2.2.0 introduced the ability to dynamically +add and delete shares via the Windows NT 4.0 Server Manager. The +\fIadd share command\fR is used to define an +external program or script which will add a new service definition +to \fIsmb.conf\fR. In order to successfully +execute the \fIadd share command\fR, \fBsmbd\fR +requires that the administrator be connected using a root account (i.e. +uid == 0). + +When executed, \fBsmbd\fR will automatically invoke the +\fIadd share command\fR with four parameters. +.RS +.TP 0.2i +\(bu +\fIconfigFile\fR - the location +of the global \fIsmb.conf\fR file. +.TP 0.2i +\(bu +\fIshareName\fR - the name of the new +share. +.TP 0.2i +\(bu +\fIpathName\fR - path to an **existing** +directory on disk. +.TP 0.2i +\(bu +\fIcomment\fR - comment string to associate +with the new share. .RE - -Note that the browseable flag for auto home directories will be -inherited from the global browseable flag, not the [homes] browseable -flag. This is useful as it means setting browseable=no in the [homes] -section will hide the [homes] service but make any auto home -directories visible. - -.SS The [printers] section -.RS 3 -This section works like [homes], but for printers. - -If a [printers] section occurs in the configuration file, users are able -to connect to any printer specified in the local host's printcap file. - -When a connection request is made, the existing services are scanned. If a -match is found, it is used. If no match is found, but a [homes] section -exists, it is used as described above. Otherwise, the requested service name is -treated as a printer name and the appropriate printcap file is scanned to -see if the requested service name is a valid printer name. If a match is -found, a new service is created by cloning the [printers] section. - -A few modifications are then made to the newly created section: - -.RS 3 -The service name is set to the located printer name - -If no printer name was given, the printer name is set to the located printer -name - -If the service does not permit guest access and no username was given, the -username is set to the located printer name. +.PP +This parameter is only used for add file shares. To add printer shares, +see the \fIadd printer +command\fR. +.PP +.PP +See also \fIchange share +command\fR, \fIdelete share +command\fR. +.PP +.PP +Default: \fBnone\fR +.PP +.PP +Example: \fBadd share command = /usr/local/bin/addshare\fR +.PP +.TP +\fBadd machine script (G)\fR +This is the full pathname to a script that will +be run by smbd(8)when a machine is added +to it's domain using the administrator username and password method. + +This option is only required when using sam back-ends tied to the +Unix uid method of RID calculation such as smbpasswd. This option is only +available in Samba 3.0. + +Default: \fBadd machine script = <empty string> +\fR +Example: \fBadd machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u +\fR.TP +\fBadd user script (G)\fR +This is the full pathname to a script that will +be run \fBAS ROOT\fR by smbd(8) +under special circumstances described below. + +Normally, a Samba server requires that UNIX users are +created for all users accessing files on this server. For sites +that use Windows NT account databases as their primary user database +creating these users and keeping the user list in sync with the +Windows NT PDC is an onerous task. This option allows smbdto create the required UNIX users +\fBON DEMAND\fR when a user accesses the Samba server. + +In order to use this option, smbd +must \fBNOT\fR be set to \fIsecurity = share\fR +and \fIadd user script\fR +must be set to a full pathname for a script that will create a UNIX +user given one argument of \fI%u\fR, which expands into +the UNIX user name to create. + +When the Windows user attempts to access the Samba server, +at login (session setup in the SMB protocol) time, smbdcontacts the \fIpassword server\fR and +attempts to authenticate the given user with the given password. If the +authentication succeeds then \fBsmbd\fR +attempts to find a UNIX user in the UNIX password database to map the +Windows user into. If this lookup fails, and \fIadd user script +\fRis set then \fBsmbd\fR will +call the specified script \fBAS ROOT\fR, expanding +any \fI%u\fR argument to be the user name to create. + +If this script successfully creates the user then \fBsmbd +\fRwill continue on as though the UNIX user +already existed. In this way, UNIX users are dynamically created to +match existing Windows NT accounts. + +See also \fI security\fR, \fIpassword server\fR, +\fIdelete user +script\fR. + +Default: \fBadd user script = <empty string> +\fR +Example: \fBadd user script = /usr/local/samba/bin/add_user +%u\fR +.TP +\fBadmin users (S)\fR +This is a list of users who will be granted +administrative privileges on the share. This means that they +will do all file operations as the super-user (root). + +You should use this option very carefully, as any user in +this list will be able to do anything they like on the share, +irrespective of file permissions. + +Default: \fBno admin users\fR + +Example: \fBadmin users = jason\fR +.TP +\fBallow hosts (S)\fR +Synonym for \fIhosts allow\fR. +.TP +\fBallow trusted domains (G)\fR +This option only takes effect when the \fIsecurity\fR option is set to +server or domain. +If it is set to no, then attempts to connect to a resource from +a domain or workgroup other than the one which smbdis running +in will fail, even if that domain is trusted by the remote server +doing the authentication. + +This is useful if you only want your Samba server to +serve resources to users in the domain it is a member of. As +an example, suppose that there are two domains DOMA and DOMB. DOMB +is trusted by DOMA, which contains the Samba server. Under normal +circumstances, a user with an account in DOMB can then access the +resources of a UNIX account with the same account name on the +Samba server even if they do not have an account in DOMA. This +can make implementing a security boundary difficult. + +Default: \fBallow trusted domains = yes\fR +.TP +\fBannounce as (G)\fR +This specifies what type of server +\fBnmbd\fR +will announce itself as, to a network neighborhood browse +list. By default this is set to Windows NT. The valid options +are : "NT Server" (which can also be written as "NT"), +"NT Workstation", "Win95" or "WfW" meaning Windows NT Server, +Windows NT Workstation, Windows 95 and Windows for Workgroups +respectively. Do not change this parameter unless you have a +specific need to stop Samba appearing as an NT server as this +may prevent Samba servers from participating as browser servers +correctly. + +Default: \fBannounce as = NT Server\fR + +Example: \fBannounce as = Win95\fR +.TP +\fBannounce version (G)\fR +This specifies the major and minor version numbers +that nmbd will use when announcing itself as a server. The default +is 4.2. Do not change this parameter unless you have a specific +need to set a Samba server to be a downlevel server. + +Default: \fBannounce version = 4.5\fR + +Example: \fBannounce version = 2.0\fR +.TP +\fBauto services (G)\fR +This is a synonym for the \fIpreload\fR. +.TP +\fBauth methods (G)\fR +This option allows the administrator to chose what +authentication methods \fBsmbd\fR will use when authenticating +a user. This option defaults to sensible values based on \fI security\fR. +Each entry in the list attempts to authenticate the user in turn, until +the user authenticates. In practice only one method will ever actually +be able to complete the authentication. + +Default: \fBauth methods = <empty string>\fR + +Example: \fBauth methods = guest sam ntdomain\fR +.TP +\fBavailable (S)\fR +This parameter lets you "turn off" a service. If +\fIavailable = no\fR, then \fBALL\fR +attempts to connect to the service will fail. Such failures are +logged. + +Default: \fBavailable = yes\fR +.TP +\fBbind interfaces only (G)\fR +This global parameter allows the Samba admin +to limit what interfaces on a machine will serve SMB requests. If +affects file service smbd(8)and +name service nmbd(8)in slightly +different ways. + +For name service it causes \fBnmbd\fR to bind +to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd +\fRalso binds to the "all addresses" interface (0.0.0.0) +on ports 137 and 138 for the purposes of reading broadcast messages. +If this option is not set then \fBnmbd\fR will service +name requests on all of these sockets. If \fIbind interfaces +only\fR is set then \fBnmbd\fR will check the +source address of any packets coming in on the broadcast sockets +and discard any that don't match the broadcast addresses of the +interfaces in the \fIinterfaces\fR parameter list. +As unicast packets are received on the other sockets it allows +\fBnmbd\fR to refuse to serve names to machines that +send packets that arrive through any interfaces not listed in the +\fIinterfaces\fR list. IP Source address spoofing +does defeat this simple check, however so it must not be used +seriously as a security feature for \fBnmbd\fR. + +For file service it causes smbd(8) +to bind only to the interface list given in the interfaces parameter. This restricts the networks that +\fBsmbd\fR will serve to packets coming in those +interfaces. Note that you should not use this parameter for machines +that are serving PPP or other intermittent or non-broadcast network +interfaces as it will not cope with non-permanent interfaces. + +If \fIbind interfaces only\fR is set then +unless the network address \fB127.0.0.1\fR is added +to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fR +and \fBswat(8)\fRmay +not work as expected due to the reasons covered below. + +To change a users SMB password, the \fBsmbpasswd\fR +by default connects to the \fBlocalhost - 127.0.0.1\fR +address as an SMB client to issue the password change request. If +\fIbind interfaces only\fR is set then unless the +network address \fB127.0.0.1\fR is added to the +\fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode. +\fBsmbpasswd\fR can be forced to use the primary IP interface +of the local host by using its \fI-r remote machine\fR +parameter, with \fIremote machine\fR set +to the IP name of the primary interface of the local host. + +The \fBswat\fR status page tries to connect with +\fBsmbd\fR and \fBnmbd\fR at the address +\fB127.0.0.1\fR to determine if they are running. +Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show +"not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR +and \fBnmbd\fR. + +Default: \fBbind interfaces only = no\fR +.TP +\fBblocking locks (S)\fR +This parameter controls the behavior of smbd(8)when given a request by a client +to obtain a byte range lock on a region of an open file, and the +request has a time limit associated with it. + +If this parameter is set and the lock range requested +cannot be immediately satisfied, Samba 2.2 will internally +queue the lock request, and periodically attempt to obtain +the lock until the timeout period expires. + +If this parameter is set to false, then +Samba 2.2 will behave as previous versions of Samba would and +will fail the lock request immediately if the lock range +cannot be obtained. + +Default: \fBblocking locks = yes\fR +.TP +\fBbrowsable (S)\fR +See the \fI browseable\fR. +.TP +\fBbrowse list (G)\fR +This controls whether \fBsmbd(8)\fRwill serve a browse list to +a client doing a \fBNetServerEnum\fR call. Normally +set to true. You should never need to change +this. + +Default: \fBbrowse list = yes\fR +.TP +\fBbrowseable (S)\fR +This controls whether this share is seen in +the list of available shares in a net view and in the browse list. + +Default: \fBbrowseable = yes\fR +.TP +\fBcase sensitive (S)\fR +See the discussion in the section NAME MANGLING. + +Default: \fBcase sensitive = no\fR +.TP +\fBcasesignames (S)\fR +Synonym for case +sensitive. +.TP +\fBchange notify timeout (G)\fR +This SMB allows a client to tell a server to +"watch" a particular directory for any changes and only reply to +the SMB request when a change has occurred. Such constant scanning of +a directory is expensive under UNIX, hence an \fBsmbd(8)\fRdaemon only performs such a scan +on each requested directory once every \fIchange notify +timeout\fR seconds. + +Default: \fBchange notify timeout = 60\fR + +Example: \fBchange notify timeout = 300\fR + +Would change the scan time to every 5 minutes. +.TP +\fBchange share command (G)\fR +Samba 2.2.0 introduced the ability to dynamically +add and delete shares via the Windows NT 4.0 Server Manager. The +\fIchange share command\fR is used to define an +external program or script which will modify an existing service definition +in \fIsmb.conf\fR. In order to successfully +execute the \fIchange share command\fR, \fBsmbd\fR +requires that the administrator be connected using a root account (i.e. +uid == 0). + +When executed, \fBsmbd\fR will automatically invoke the +\fIchange share command\fR with four parameters. +.RS +.TP 0.2i +\(bu +\fIconfigFile\fR - the location +of the global \fIsmb.conf\fR file. +.TP 0.2i +\(bu +\fIshareName\fR - the name of the new +share. +.TP 0.2i +\(bu +\fIpathName\fR - path to an **existing** +directory on disk. +.TP 0.2i +\(bu +\fIcomment\fR - comment string to associate +with the new share. .RE - -Note that the [printers] service MUST be printable - if you specify otherwise, -the server will refuse to load the configuration file. - -Typically the path specified would be that of a world-writable spool directory -with the sticky bit set on it. A typical [printers] entry would look like this: - - [printers] - path = /usr/spool/public - writable = no - public = yes - printable = yes - -All aliases given for a printer in the printcap file are legitimate printer -names as far as the server is concerned. If your printing subsystem doesn't -work like that, you will have to set up a pseudo-printcap. This is a file -consisting of one or more lines like this: - - alias|alias|alias|alias... - -Each alias should be an acceptable printer name for your printing -subsystem. In the [global] section, specify the new file as your printcap. -The server will then only recognise names found in your pseudo-printcap, -which of course can contain whatever aliases you like. The same technique -could be used simply to limit access to a subset of your local printers. - -An alias, by the way, is defined as any component of the first entry of a -printcap record. Records are separated by newlines, components (if there are -more than one) are separated by vertical bar symbols ("|"). -.SH PARAMETERS -Parameters define the specific attributes of services. - -Some parameters are specific to the [global] section (eg., security). -Some parameters are usable in all sections (eg., create mode). All others are -permissible only in normal sections. For the purposes of the following -descriptions the [homes] and [printers] sections will be considered normal. -The letter 'G' in parentheses indicates that a parameter is specific to the -[global] section. The letter 'S' indicates that a parameter can be -specified in a secvice specific section. Note that all S parameters -can also be specified in the [global] section - in which case they -will define the default behaviour for all services. - -Parameters are arranged here in alphabetical order - this may not create -best bedfellows, but at least you can find them! Where there are synonyms, -the preferred synonym is described, others refer to the preferred synonym. - -.SS VARIABLE SUBSTITUTIONS - -Many of the strings that are settable in the config file can take -substitutions. For example the option "path = /tmp/%u" would be -interpreted as "path = /tmp/john" if the user connected with the -username john. - -These substitutions are mostly noted in the descriptions below, but -there are some general substitions which apply whenever they might be -relevant. These are: - -%S = the name of the current service, if any - -%P = the root directory of the current service, if any - -%u = user name of the current service, if any - -%g = primary group name of %u - -%U = session user name (the user name that the client wanted, not -necessarily the same as the one they got) - -%G = primary group name of %U - -%H = the home directory of the user given by %u - -%v = the Samba version - -%h = the hostname that Samba is running on - -%m = the netbios name of the client machine (very useful) - -%L = the netbios name of the server. This allows you to change your -config based on what the client calls you. Your server can have a "dual -personality". - -%M = the internet name of the client machine - -%d = The process id of the current server process - -%a = the architecture of the remote machine. Only some are recognised, -and those may not be 100% reliable. It currently recognises Samba, -WfWg, WinNT and Win95. Anything else will be known as "UNKNOWN". If it -gets it wrong then sending me a level 3 log should allow me to fix it. - -%I = The IP address of the client machine - -%T = the current date and time - -There are some quite creative things that can be done with these -substitutions and other smb.conf options. - -.SS NAME MANGLING - -Samba supports "name mangling" so that Dos and Windows clients can use -files that don't conform to the 8.3 format. It can also be set to adjust -the case of 8.3 format filenames. - -There are several options that control the way mangling is performed, -and they are grouped here rather than listed separately. For the -defaults look at the output of the testparm program. - -All of these options can be set separately for each service (or -globally, of course). - -The options are: - -"mangle case = yes/no" controls if names that have characters that -aren't of the "default" case are mangled. For example, if this is yes -then a name like "Mail" would be mangled. Default no. - -"case sensitive = yes/no" controls whether filenames are case -sensitive. If they aren't then Samba must do a filename search and -match on passed names. Default no. - -"default case = upper/lower" controls what the default case is for new -filenames. Default lower. - -"preserve case = yes/no" controls if new files are created with the -case that the client passes, or if they are forced to be the "default" -case. Default no. - -"short preserve case = yes/no" controls if new files which conform to 8.3 -syntax, that is all in upper case and of suitable length, are created -upper case, or if they are forced to be the "default" case. This option can -be use with "preserve case = yes" to permit long filenames to retain their -case, while short names are lowered. Default no. - -.SS COMPLETE LIST OF GLOBAL PARAMETER - -Here is a list of all global parameters. See the section of each -parameter for details. Note that some are synonyms. - -auto services - -config file - -deadtime - -debuglevel - -default - -default service - -dfree command - -encrypt passwords - -getwd cache - -hosts equiv - -include - -keepalive - -lock dir - -load printers - -lock directory - -log file - -log level - -lpq cache time - -mangled stack - -max log size - -max packet - -max xmit - -message command - -null passwords - -os level - -packet size - -passwd chat - -passwd program - -password level - -password server - -preferred master - -preload - -printing - -printcap name - -protocol - -read bmpx - -read prediction - -read raw - -read size - -root - -root dir - -root directory - -security - -server string - -smbrun - -socket options - -status - -strip dot - -time offset - -username map - -use rhosts - -valid chars - -workgroup - -write raw - -.SS COMPLETE LIST OF SERVICE PARAMETER - -Here is a list of all service parameters. See the section of each -parameter for details. Note that some are synonyms. - -admin users - -allow hosts - -alternate permissions - -available - -browseable - -case sensitive - -case sig names - -copy - -create mask - -create mode - -comment - -default case - -deny hosts - -directory - -dont descend - -exec - -force group - -force user - -guest account - -guest ok - -guest only - -hide dot files - -hosts allow - -hosts deny - -invalid users - -locking - -lppause command - -lpq command - -lpresume command - -lprm command - -magic output - -magic script - -mangle case - -mangled names - -mangling char - -map archive - -map hidden - -map system - -max connections - -min print space - -only guest - -only user - -path - -postexec - -postscript - -preserve case - -print command - -print ok - -printable - -printer - -printer name - -public - -read only - -read list - -revalidate - -root postexec - -root preexec - -set directory - -share modes - -short preserve case - -strict locking - -sync always - -user - -username - -users - -valid users - -volume - -wide links - -writable - -write ok - -writeable - -write list - -.SS EXPLANATION OF EACH PARAMETER -.RS 3 - -.SS admin users (G) - -This is a list of users who will be granted administrative privilages -on the share. This means that they will do all file operations as the -super-user (root). - -You should use this option very carefully, as any user in this list -will be able to do anything they like on the share, irrespective of -file permissions. - -.B Default: - no admin users - -.B Example: - admin users = jason - -.SS auto services (G) -This is a list of services that you want to be automatically added to -the browse lists. This is most useful for homes and printers services -that would otherwise not be visible. - -Note that if you just want all printers in your printcap file loaded -then the "load printers" option is easier. - -.B Default: - no auto services - -.B Example: - auto services = fred lp colorlp - - -.SS allow hosts (S) -A synonym for this parameter is 'hosts allow'. - -This parameter is a comma delimited set of hosts which are permitted to access -a services. If specified in the [global] section, matching hosts will be -allowed access to any service that does not specifically exclude them from -access. Specific services my have their own list, which override those -specified in the [global] section. - -You can specify the hosts by name or IP number. For example, you could -restrict access to only the hosts on a Class C subnet with something like -"allow hosts = 150.203.5.". The full syntax of the list is described in -the man page -.B hosts_access(5). - -You can also specify hosts by network/netmask pairs and by netgroup -names if your system supports netgroups. The EXCEPT keyword can also -be used to limit a wildcard list. The following examples may provide -some help: - -Example 1: allow all IPs in 150.203.*.* except one - - hosts allow = 150.203. EXCEPT 150.203.6.66 - -Example 2: allow hosts that match the given network/netmask - - hosts allow = 150.203.15.0/255.255.255.0 - -Example 3: allow a couple of hosts - - hosts allow = lapland, arvidsjaur - -Example 4: allow only hosts in netgroup "foonet" or localhost, but -deny access from one particular host - - hosts allow = @foonet, localhost - hosts deny = pirate - -Note that access still requires suitable user-level passwords. - -See testparm(1) for a way of testing your host access to see if it -does what you expect. - -.B Default: - none (ie., all hosts permitted access) - -.B Example: - allow hosts = 150.203.5. myhost.mynet.edu.au - -.SS alternate permissions (S) - -This option affects the way the "read only" DOS attribute is produced -for unix files. If this is false then the read only bit is set for -files on writeable shares which the user cannot write to. - -If this is true then it is set for files whos user write bit is not set. - -The latter behaviour of useful for when users copy files from each -others directories, and use a file manager that preserves -permissions. Without this option they may get annoyed as all copied -files will have the "read only" bit set. - -.B Default: - alternate permissions = no - -.B Example: - alternate permissions = yes - -.SS available (S) -This parameter lets you 'turn off' a service. If 'available = no', then -ALL attempts to connect to the service will fail. Such failures are logged. - -.B Default: - available = yes - -.B Example: - available = no -.SS browseable (S) -This controls whether this share is seen in the list of available -shares in a net view and in the browse list. - -.B Default: - browseable = Yes - -.B Example: - browseable = No - -.SS case sig names (G) -See "case sensitive" - -.SS comment (S) -This is a text field that is seen when a client does a net view to -list what shares are available. It will also be used when browsing is -fully supported. - -.B Default: - No comment string - -.B Example: - comment = Fred's Files - -.SS config file (G) - -This allows you to override the config file to use, instead of the -default (usually smb.conf). There is a chicken and egg problem here as -this option is set in the config file! - -For this reason, if the name of the config file has changed when the -parameters are loaded then it will reload them from the new config -file. - -This option takes the usual substitutions, which can be very useful. - -If thew config file doesn't exist then it won't be loaded (allowing -you to special case the config files of just a few clients). - -.B Example: - config file = /usr/local/samba/smb.conf.%m - -.SS copy (S) -This parameter allows you to 'clone' service entries. The specified -service is simply duplicated under the current service's name. Any -parameters specified in the current section will override those in the -section being copied. - -This feature lets you set up a 'template' service and create similar -services easily. Note that the service being copied must occur earlier -in the configuration file than the service doing the copying. - -.B Default: - none - -.B Example: - copy = otherservice -.SS create mask (S) -A synonym for this parameter is 'create mode'. - -This parameter is the octal modes which are used when converting DOS modes -to Unix modes. - -Note that Samba will or this value with 0700 as you must have at least -user read, write and execute for Samba to work properly. - -.B Default: - create mask = 0755 - -.B Example: - create mask = 0775 -.SS create mode (S) -See -.B create mask. -.SS dead time (G) -The value of the parameter (a decimal integer) represents the number of -minutes of inactivity before a connection is considered dead, and it -is disconnected. The deadtime only takes effect if the number of open files -is zero. - -This is useful to stop a server's resources being exhausted by a large -number of inactive connections. - -Most clients have an auto-reconnect feature when a connection is broken so -in most cases this parameter should be transparent to users. - -Using this parameter with a timeout of a few minutes is recommended -for most systems. - -A deadtime of zero indicates that no auto-disconnection should be performed. - -.B Default: - dead time = 0 - -.B Example: - dead time = 15 -.SS debug level (G) -The value of the parameter (an integer) allows the debug level -(logging level) to be specified in the smb.conf file. This is to give -greater flexibility in the configuration of the system. - -The default will be the debug level specified on the command line. - -.B Example: - debug level = 3 -.SS default (G) -See -.B default service. -.SS default case (S) - -See the section on "NAME MANGLING" Also note the addition of "short -preserve case" - -.SS default service (G) -A synonym for this parameter is 'default'. - -This parameter specifies the name of a service which will be connected to -if the service actually requested cannot be found. Note that the square -brackets are NOT given in the parameter value (see example below). - -There is no default value for this parameter. If this parameter is not given, -attempting to connect to a nonexistent service results in an error. - -Typically the default service would be a public, read-only service. - -Also not that s of 1.9.14 the apparent service name will be changed to -equal that of the requested service, this is very useful as it allows -you to use macros like %S to make a wildcard service. - -Note also that any _ characters in the name of the service used in the -default service will get mapped to a /. This allows for interesting -things. - - -.B Example: - default service = pub +.PP +This parameter is only used modify existing file shares definitions. To modify +printer shares, use the "Printers..." folder as seen when browsing the Samba host. +.PP +.PP +See also \fIadd share +command\fR, \fIdelete +share command\fR. +.PP +.PP +Default: \fBnone\fR +.PP +.PP +Example: \fBchange share command = /usr/local/bin/addshare\fR +.PP +.TP +\fBcomment (S)\fR +This is a text field that is seen next to a share +when a client does a queries the server, either via the network +neighborhood or via \fBnet view\fR to list what shares +are available. + +If you want to set the string that is displayed next to the +machine name then see the \fI server string\fR parameter. + +Default: \fBNo comment string\fR + +Example: \fBcomment = Fred's Files\fR +.TP +\fBconfig file (G)\fR +This allows you to override the config file +to use, instead of the default (usually \fIsmb.conf\fR). +There is a chicken and egg problem here as this option is set +in the config file! + +For this reason, if the name of the config file has changed +when the parameters are loaded then it will reload them from +the new config file. + +This option takes the usual substitutions, which can +be very useful. + +If the config file doesn't exist then it won't be loaded +(allowing you to special case the config files of just a few +clients). + +Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m +\fR.TP +\fBcopy (S)\fR +This parameter allows you to "clone" service +entries. The specified service is simply duplicated under the +current service's name. Any parameters specified in the current +section will override those in the section being copied. + +This feature lets you set up a 'template' service and +create similar services easily. Note that the service being +copied must occur earlier in the configuration file than the +service doing the copying. + +Default: \fBno value\fR + +Example: \fBcopy = otherservice\fR +.TP +\fBcreate mask (S)\fR +A synonym for this parameter is +\fIcreate mode\fR +\&. + +When a file is created, the necessary permissions are +calculated according to the mapping from DOS modes to UNIX +permissions, and the resulting UNIX mode is then bit-wise 'AND'ed +with this parameter. This parameter may be thought of as a bit-wise +MASK for the UNIX modes of a file. Any bit \fBnot\fR +set here will be removed from the modes set on a file when it is +created. + +The default value of this parameter removes the +\&'group' and 'other' write and execute bits from the UNIX modes. + +Following this Samba will bit-wise 'OR' the UNIX mode created +from this parameter with the value of the \fIforce create mode\fR +parameter which is set to 000 by default. + +This parameter does not affect directory modes. See the +parameter \fIdirectory mode +\fRfor details. + +See also the \fIforce +create mode\fR parameter for forcing particular mode +bits to be set on created files. See also the \fIdirectory mode\fR parameter for masking +mode bits on created directories. See also the \fIinherit permissions\fR parameter. + +Note that this parameter does not apply to permissions +set by Windows NT/2000 ACL editors. If the administrator wishes to enforce +a mask on access control lists also, they need to set the \fIsecurity mask\fR. + +Default: \fBcreate mask = 0744\fR + +Example: \fBcreate mask = 0775\fR +.TP +\fBcreate mode (S)\fR +This is a synonym for \fI create mask\fR. +.TP +\fBdeadtime (G)\fR +The value of the parameter (a decimal integer) +represents the number of minutes of inactivity before a connection +is considered dead, and it is disconnected. The deadtime only takes +effect if the number of open files is zero. + +This is useful to stop a server's resources being +exhausted by a large number of inactive connections. + +Most clients have an auto-reconnect feature when a +connection is broken so in most cases this parameter should be +transparent to users. + +Using this parameter with a timeout of a few minutes +is recommended for most systems. + +A deadtime of zero indicates that no auto-disconnection +should be performed. + +Default: \fBdeadtime = 0\fR + +Example: \fBdeadtime = 15\fR +.TP +\fBdebug hires timestamp (G)\fR +Sometimes the timestamps in the log messages +are needed with a resolution of higher that seconds, this +boolean parameter adds microsecond resolution to the timestamp +message header when turned on. + +Note that the parameter \fI debug timestamp\fR must be on for this to have an +effect. + +Default: \fBdebug hires timestamp = no\fR +.TP +\fBdebug pid (G)\fR +When using only one log file for more then one +forked smbd-process there may be hard to follow which process +outputs which message. This boolean parameter is adds the process-id +to the timestamp message headers in the logfile when turned on. + +Note that the parameter \fI debug timestamp\fR must be on for this to have an +effect. + +Default: \fBdebug pid = no\fR +.TP +\fBdebug timestamp (G)\fR +Samba 2.2 debug log messages are timestamped +by default. If you are running at a high \fIdebug level\fR these timestamps +can be distracting. This boolean parameter allows timestamping +to be turned off. + +Default: \fBdebug timestamp = yes\fR +.TP +\fBdebug uid (G)\fR +Samba is sometimes run as root and sometime +run as the connected user, this boolean parameter inserts the +current euid, egid, uid and gid to the timestamp message headers +in the log file if turned on. + +Note that the parameter \fI debug timestamp\fR must be on for this to have an +effect. + +Default: \fBdebug uid = no\fR +.TP +\fBdebuglevel (G)\fR +Synonym for \fI log level\fR. +.TP +\fBdefault (G)\fR +A synonym for \fI default service\fR. +.TP +\fBdefault case (S)\fR +See the section on NAME MANGLING. Also note the \fIshort preserve case\fR parameter. + +Default: \fBdefault case = lower\fR +.TP +\fBdefault devmode (S)\fR +This parameter is only applicable to printable services. When smbd is serving +Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba +server has a Device Mode which defines things such as paper size and +orientation and duplex settings. The device mode can only correctly be +generated by the printer driver itself (which can only be executed on a +Win32 platform). Because smbd is unable to execute the driver code +to generate the device mode, the default behavior is to set this field +to NULL. + +Most problems with serving printer drivers to Windows NT/2k/XP clients +can be traced to a problem with the generated device mode. Certain drivers +will do things such as crashing the client's Explorer.exe with a NULL devmode. +However, other printer drivers can cause the client's spooler service +(spoolsv.exe) to die if the devmode was not created by the driver itself +(i.e. smbd generates a default devmode). + +This parameter should be used with care and tested with the printer +driver in question. It is better to leave the device mode to NULL +and let the Windows client set the correct values. Because drivers do not +do this all the time, setting \fBdefault devmode = yes\fR +will instruct smbd to generate a default one. + +For more information on Windows NT/2k printing and Device Modes, +see the MSDN documentation <URL:http://msdn.microsoft.com/>. + +Default: \fBdefault devmode = no\fR +.TP +\fBdefault service (G)\fR +This parameter specifies the name of a service +which will be connected to if the service actually requested cannot +be found. Note that the square brackets are \fBNOT\fR +given in the parameter value (see example below). + +There is no default value for this parameter. If this +parameter is not given, attempting to connect to a nonexistent +service results in an error. + +Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service. + +Also note that the apparent service name will be changed +to equal that of the requested service, this is very useful as it +allows you to use macros like \fI%S\fR to make +a wildcard service. + +Note also that any "_" characters in the name of the service +used in the default service will get mapped to a "/". This allows for +interesting things. + +Example: + +.sp +.nf +[global] + default service = pub - [pub] - path = /%S - - -.SS deny hosts (S) -A synonym for this parameter is 'hosts deny'. - -The opposite of 'allow hosts' - hosts listed here are NOT permitted -access to services unless the specific services have their own lists to -override this one. Where the lists conflict, the 'allow' list takes precedence. - -.B Default: - none (ie., no hosts specifically excluded) - -.B Example: - deny hosts = 150.203.4. badhost.mynet.edu.au -.SS dfree command (G) -The dfree command setting should only be used on systems where a -problem occurs with the internal disk space calculations. This has -been known to happen with Ultrix, but may occur with other operating -systems. The symptom that was seen was an error of "Abort Retry -Ignore" at the end of each directory listing. +[pub] + path = /%S + +.sp +.fi +.TP +\fBdelete printer command (G)\fR +With the introduction of MS-RPC based printer +support for Windows NT/2000 clients in Samba 2.2, it is now +possible to delete printer at run time by issuing the +DeletePrinter() RPC call. + +For a Samba host this means that the printer must be +physically deleted from underlying printing system. The \fI deleteprinter command\fR defines a script to be run which +will perform the necessary operations for removing the printer +from the print system and from \fIsmb.conf\fR. + +The \fIdelete printer command\fR is +automatically called with only one parameter: \fI "printer name"\fR. + +Once the \fIdelete printer command\fR has +been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to associated printer no longer exists. +If the sharename is still valid, then \fBsmbd +\fRwill return an ACCESS_DENIED error to the client. + +See also \fI add printer command\fR, \fIprinting\fR, +\fIshow add +printer wizard\fR + +Default: \fBnone\fR + +Example: \fBdeleteprinter command = /usr/bin/removeprinter +\fR.TP +\fBdelete readonly (S)\fR +This parameter allows readonly files to be deleted. +This is not normal DOS semantics, but is allowed by UNIX. + +This option may be useful for running applications such +as rcs, where UNIX file ownership prevents changing file +permissions, and DOS semantics prevent deletion of a read only file. + +Default: \fBdelete readonly = no\fR +.TP +\fBdelete share command (G)\fR +Samba 2.2.0 introduced the ability to dynamically +add and delete shares via the Windows NT 4.0 Server Manager. The +\fIdelete share command\fR is used to define an +external program or script which will remove an existing service +definition from \fIsmb.conf\fR. In order to successfully +execute the \fIdelete share command\fR, \fBsmbd\fR +requires that the administrator be connected using a root account (i.e. +uid == 0). + +When executed, \fBsmbd\fR will automatically invoke the +\fIdelete share command\fR with two parameters. +.RS +.TP 0.2i +\(bu +\fIconfigFile\fR - the location +of the global \fIsmb.conf\fR file. +.TP 0.2i +\(bu +\fIshareName\fR - the name of +the existing service. +.RE +.PP +This parameter is only used to remove file shares. To delete printer shares, +see the \fIdelete printer +command\fR. +.PP +.PP +See also \fIadd share +command\fR, \fIchange +share command\fR. +.PP +.PP +Default: \fBnone\fR +.PP +.PP +Example: \fBdelete share command = /usr/local/bin/delshare\fR +.PP +.TP +\fBdelete user script (G)\fR +This is the full pathname to a script that will +be run \fBAS ROOT\fR by \fBsmbd(8)\fRunder special circumstances +described below. + +Normally, a Samba server requires that UNIX users are +created for all users accessing files on this server. For sites +that use Windows NT account databases as their primary user database +creating these users and keeping the user list in sync with the +Windows NT PDC is an onerous task. This option allows \fB smbd\fR to delete the required UNIX users \fBON +DEMAND\fR when a user accesses the Samba server and the +Windows NT user no longer exists. + +In order to use this option, \fBsmbd\fR must be +set to \fIsecurity = domain\fR or \fIsecurity = +user\fR and \fIdelete user script\fR +must be set to a full pathname for a script +that will delete a UNIX user given one argument of \fI%u\fR, +which expands into the UNIX user name to delete. + +When the Windows user attempts to access the Samba server, +at \fBlogin\fR (session setup in the SMB protocol) +time, \fBsmbd\fR contacts the \fIpassword server\fR and attempts to authenticate +the given user with the given password. If the authentication fails +with the specific Domain error code meaning that the user no longer +exists then \fBsmbd\fR attempts to find a UNIX user in +the UNIX password database that matches the Windows user account. If +this lookup succeeds, and \fIdelete user script\fR is +set then \fBsmbd\fR will all the specified script +\fBAS ROOT\fR, expanding any \fI%u\fR +argument to be the user name to delete. + +This script should delete the given UNIX username. In this way, +UNIX users are dynamically deleted to match existing Windows NT +accounts. + +See also security = domain, +\fIpassword server\fR +, \fIadd user script\fR +\&. + +Default: \fBdelete user script = <empty string> +\fR +Example: \fBdelete user script = /usr/local/samba/bin/del_user +%u\fR +.TP +\fBdelete veto files (S)\fR +This option is used when Samba is attempting to +delete a directory that contains one or more vetoed directories +(see the \fIveto files\fR +option). If this option is set to false (the default) then if a vetoed +directory contains any non-vetoed files or directories then the +directory delete will fail. This is usually what you want. + +If this option is set to true, then Samba +will attempt to recursively delete any files and directories within +the vetoed directory. This can be useful for integration with file +serving systems such as NetAtalk which create meta-files within +directories you might normally veto DOS/Windows users from seeing +(e.g. \fI.AppleDouble\fR) + +Setting \fBdelete veto files = yes\fR allows these +directories to be transparently deleted when the parent directory +is deleted (so long as the user has permissions to do so). + +See also the \fIveto +files\fR parameter. + +Default: \fBdelete veto files = no\fR +.TP +\fBdeny hosts (S)\fR +Synonym for \fIhosts +deny\fR. +.TP +\fBdfree command (G)\fR +The \fIdfree command\fR setting should +only be used on systems where a problem occurs with the internal +disk space calculations. This has been known to happen with Ultrix, +but may occur with other operating systems. The symptom that was +seen was an error of "Abort Retry Ignore" at the end of each +directory listing. This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill -this function. - -The external program will be passed a single parameter indicating a -directory in the filesystem being queried. This will typically consist -of the string "./". The script should return two integers in ascii. The -first should be the total disk space in blocks, and the second should -be the number of available blocks. An optional third return value -can give the block size in bytes. The default blocksize is 1024 bytes. - -Note: Your script should NOT be setuid or setgid and should be owned by -(and writable only by) root! - -.B Default: - By default internal routines for determining the disk capacity -and remaining space will be used. - -.B Example: - dfree command = /usr/local/smb/dfree - - Where the script dfree (which must be made executable) could be - - #!/bin/sh - df $1 | tail -1 | awk '{print $2" "$4}' - - or perhaps (on Sys V) - - #!/bin/sh - /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' - - - Note that you may have to replace the command names with full -path names on some systems. -.SS directory (S) -See -.B path. -.SS dont descend (S) -There are certain directories on some systems (eg., the /proc tree under -Linux) that are either not of interest to clients or are infinitely deep -(recursive). This parameter allows you to specify a comma-delimited list -of directories that the server should always show as empty. - -Note that Samba can be very fussy about the exact format of the "dont -descend" entries. For example you ma need "./proc" instead of just -"/proc". Experimentation is the best policy :-) - -.B Default: - none (ie., all directories are OK to descend) - -.B Example: - dont descend = /proc,/dev - -.SS encrypt passwords (G) - -This boolean controls whether encrypted passwords will be negotiated -with the cient. Note that this option has no effect if you haven't -compiled in the necessary des libraries and encryption code. It -defaults to no. - -.SS exec (S) - -This is an alias for preexec - - -.SS force group (S) -This specifies a group name that all connections to this service -should be made as. This may be useful for sharing files. - -.B Default: - no forced group - -.B Example: - force group = agroup - -.SS force user (S) -This specifies a user name that all connections to this service -should be made as. This may be useful for sharing files. You should -also use it carefully as using it incorrectly can cause security -problems. - -This user name only gets used once a connection is established. Thus -clients still need to connect as a valid user and supply a valid -password. Once connected, all file operations will be performed as the -"forced user", not matter what username the client connected as. - -.B Default: - no forced user - -.B Example: - force user = auser +this function. + +The external program will be passed a single parameter indicating +a directory in the filesystem being queried. This will typically consist +of the string \fI./\fR. The script should return two +integers in ASCII. The first should be the total disk space in blocks, +and the second should be the number of available blocks. An optional +third return value can give the block size in bytes. The default +blocksize is 1024 bytes. + +Note: Your script should \fBNOT\fR be setuid or +setgid and should be owned by (and writeable only by) root! + +Default: \fBBy default internal routines for +determining the disk capacity and remaining space will be used. +\fR +Example: \fBdfree command = /usr/local/samba/bin/dfree +\fR +Where the script dfree (which must be made executable) could be: + +.sp +.nf + + #!/bin/sh + df $1 | tail -1 | awk '{print $2" "$4}' + +.sp +.fi + +or perhaps (on Sys V based systems): + +.sp +.nf + + #!/bin/sh + /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' + +.sp +.fi + +Note that you may have to replace the command names +with full path names on some systems. +.TP +\fBdirectory (S)\fR +Synonym for \fIpath +\fR\&. +.TP +\fBdirectory mask (S)\fR +This parameter is the octal modes which are +used when converting DOS modes to UNIX modes when creating UNIX +directories. + +When a directory is created, the necessary permissions are +calculated according to the mapping from DOS modes to UNIX permissions, +and the resulting UNIX mode is then bit-wise 'AND'ed with this +parameter. This parameter may be thought of as a bit-wise MASK for +the UNIX modes of a directory. Any bit \fBnot\fR set +here will be removed from the modes set on a directory when it is +created. + +The default value of this parameter removes the 'group' +and 'other' write bits from the UNIX mode, allowing only the +user who owns the directory to modify it. + +Following this Samba will bit-wise 'OR' the UNIX mode +created from this parameter with the value of the \fIforce directory mode +\fRparameter. This parameter is set to 000 by +default (i.e. no extra mode bits are added). + +Note that this parameter does not apply to permissions +set by Windows NT/2000 ACL editors. If the administrator wishes to enforce +a mask on access control lists also, they need to set the \fIdirectory security mask\fR. + +See the \fIforce +directory mode\fR parameter to cause particular mode +bits to always be set on created directories. + +See also the \fIcreate mode +\fRparameter for masking mode bits on created files, +and the \fIdirectory +security mask\fR parameter. + +Also refer to the \fI inherit permissions\fR parameter. + +Default: \fBdirectory mask = 0755\fR + +Example: \fBdirectory mask = 0775\fR +.TP +\fBdirectory mode (S)\fR +Synonym for \fI directory mask\fR +.TP +\fBdirectory security mask (S)\fR +This parameter controls what UNIX permission bits +can be modified when a Windows NT client is manipulating the UNIX +permission on a directory using the native NT security dialog +box. + +This parameter is applied as a mask (AND'ed with) to +the changed permission bits, thus preventing any bits not in +this mask from being modified. Essentially, zero bits in this +mask may be treated as a set of bits the user is not allowed +to change. + +If not set explicitly this parameter is set to 0777 +meaning a user is allowed to modify all the user/group/world +permissions on a directory. + +\fBNote\fR that users who can access the +Samba server through other means can easily bypass this restriction, +so it is primarily useful for standalone "appliance" systems. +Administrators of most normal systems will probably want to leave +it as the default of 0777. + +See also the \fI force directory security mode\fR, \fIsecurity mask\fR, +\fIforce security mode +\fRparameters. + +Default: \fBdirectory security mask = 0777\fR + +Example: \fBdirectory security mask = 0700\fR +.TP +\fBdisable spoolss (G)\fR +Enabling this parameter will disables Samba's support +for the SPOOLSS set of MS-RPC's and will yield identical behavior +as Samba 2.0.x. Windows NT/2000 clients will downgrade to using +Lanman style printing commands. Windows 9x/ME will be uneffected by +the parameter. However, this will also disable the ability to upload +printer drivers to a Samba server via the Windows NT Add Printer +Wizard or by using the NT printer properties dialog window. It will +also disable the capability of Windows NT/2000 clients to download +print drivers from the Samba host upon demand. +\fBBe very careful about enabling this parameter.\fR + +See also use client driver + +Default : \fBdisable spoolss = no\fR +.TP +\fBdns proxy (G)\fR +Specifies that nmbd(8) +when acting as a WINS server and finding that a NetBIOS name has not +been registered, should treat the NetBIOS name word-for-word as a DNS +name and do a lookup with the DNS server for that name on behalf of +the name-querying client. + +Note that the maximum length for a NetBIOS name is 15 +characters, so the DNS name (or DNS alias) can likewise only be +15 characters, maximum. + +\fBnmbd\fR spawns a second copy of itself to do the +DNS name lookup requests, as doing a name lookup is a blocking +action. + +See also the parameter \fI wins support\fR. + +Default: \fBdns proxy = yes\fR +.TP +\fBdomain admin group (G)\fR +This parameter is intended as a temporary solution +to enable users to be a member of the "Domain Admins" group when +a Samba host is acting as a PDC. A complete solution will be provided +by a system for mapping Windows NT/2000 groups onto UNIX groups. +Please note that this parameter has a somewhat confusing name. It +accepts a list of usernames and of group names in standard +\fIsmb.conf\fR notation. + +See also \fIdomain +guest group\fR, \fIdomain +logons\fR + +Default: \fBno domain administrators\fR + +Example: \fBdomain admin group = root @wheel\fR +.TP +\fBdomain guest group (G)\fR +This parameter is intended as a temporary solution +to enable users to be a member of the "Domain Guests" group when +a Samba host is acting as a PDC. A complete solution will be provided +by a system for mapping Windows NT/2000 groups onto UNIX groups. +Please note that this parameter has a somewhat confusing name. It +accepts a list of usernames and of group names in standard +\fIsmb.conf\fR notation. + +See also \fIdomain +admin group\fR, \fIdomain +logons\fR + +Default: \fBno domain guests\fR + +Example: \fBdomain guest group = nobody @guest\fR +.TP +\fBdomain logons (G)\fR +If set to true, the Samba server will serve +Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also +has limited capability to act as a domain controller for Windows +NT 4 Domains. For more details on setting up this feature see +the Samba-PDC-HOWTO included in the \fIhtmldocs/\fR +directory shipped with the source code. + +Default: \fBdomain logons = no\fR +.TP +\fBdomain master (G)\fR +Tell \fB nmbd(8)\fRto enable WAN-wide browse list +collation. Setting this option causes \fBnmbd\fR to +claim a special domain specific NetBIOS name that identifies +it as a domain master browser for its given \fIworkgroup\fR. Local master browsers +in the same \fIworkgroup\fR on broadcast-isolated +subnets will give this \fBnmbd\fR their local browse lists, +and then ask \fBsmbd(8)\fR +for a complete copy of the browse list for the whole wide area +network. Browser clients will then contact their local master browser, +and will receive the domain-wide browse list, instead of just the list +for their broadcast-isolated subnet. + +Note that Windows NT Primary Domain Controllers expect to be +able to claim this \fIworkgroup\fR specific special +NetBIOS name that identifies them as domain master browsers for +that \fIworkgroup\fR by default (i.e. there is no +way to prevent a Windows NT PDC from attempting to do this). This +means that if this parameter is set and \fBnmbd\fR claims +the special name for a \fIworkgroup\fR before a Windows +NT PDC is able to do so then cross subnet browsing will behave +strangely and may fail. + +If \fBdomain logons = yes\fR +, then the default behavior is to enable the \fIdomain +master\fR parameter. If \fIdomain logons\fR is +not enabled (the default setting), then neither will \fIdomain +master\fR be enabled by default. + +Default: \fBdomain master = auto\fR +.TP +\fBdont descend (S)\fR +There are certain directories on some systems +(e.g., the \fI/proc\fR tree under Linux) that are either not +of interest to clients or are infinitely deep (recursive). This +parameter allows you to specify a comma-delimited list of directories +that the server should always show as empty. + +Note that Samba can be very fussy about the exact format +of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR. +Experimentation is the best policy :-) + +Default: \fBnone (i.e., all directories are OK +to descend)\fR + +Example: \fBdont descend = /proc,/dev\fR +.TP +\fBdos filemode (S)\fR +The default behavior in Samba is to provide +UNIX-like behavior where only the owner of a file/directory is +able to change the permissions on it. However, this behavior +is often confusing to DOS/Windows users. Enabling this parameter +allows a user who has write access to the file (by whatever +means) to modify the permissions on it. Note that a user +belonging to the group owning the file will not be allowed to +change permissions if the group is only granted read access. +Ownership of the file/directory is not changed, only the permissions +are modified. + +Default: \fBdos filemode = no\fR +.TP +\fBdos filetime resolution (S)\fR +Under the DOS and Windows FAT filesystem, the finest +granularity on time resolution is two seconds. Setting this parameter +for a share causes Samba to round the reported time down to the +nearest two second boundary when a query call that requires one second +resolution is made to \fBsmbd(8)\fR +. + +This option is mainly used as a compatibility option for Visual +C++ when used against Samba shares. If oplocks are enabled on a +share, Visual C++ uses two different time reading calls to check if a +file has changed since it was last read. One of these calls uses a +one-second granularity, the other uses a two second granularity. As +the two second call rounds any odd second down, then if the file has a +timestamp of an odd number of seconds then the two timestamps will not +match and Visual C++ will keep reporting the file has changed. Setting +this option causes the two timestamps to match, and Visual C++ is +happy. + +Default: \fBdos filetime resolution = no\fR +.TP +\fBdos filetimes (S)\fR +Under DOS and Windows, if a user can write to a +file they can change the timestamp on it. Under POSIX semantics, +only the owner of the file or root may change the timestamp. By +default, Samba runs with POSIX semantics and refuses to change the +timestamp on a file if the user \fBsmbd\fR is acting +on behalf of is not the file owner. Setting this option to true allows DOS semantics and smbdwill change the file +timestamp as DOS requires. + +Default: \fBdos filetimes = no\fR +.TP +\fBencrypt passwords (G)\fR +This boolean controls whether encrypted passwords +will be negotiated with the client. Note that Windows NT 4.0 SP3 and +above and also Windows 98 will by default expect encrypted passwords +unless a registry entry is changed. To use encrypted passwords in +Samba see the file ENCRYPTION.txt in the Samba documentation +directory \fIdocs/\fR shipped with the source code. + +In order for encrypted passwords to work correctly +\fBsmbd(8)\fRmust either +have access to a local \fIsmbpasswd(5) +\fRprogram for information on how to set up +and maintain this file), or set the security = [server|domain|ads] parameter which +causes \fBsmbd\fR to authenticate against another +server. -.SS guest account (S) -This is a username which will be used for access to services which are -specified as 'guest ok' (see below). Whatever privileges this user has -will be available to any client connecting to the guest -service. Typically this user will exist in the password file, but will -not have a valid login. If a username is specified in a given service, +Default: \fBencrypt passwords = yes\fR +.TP +\fBenhanced browsing (G)\fR +This option enables a couple of enhancements to +cross-subnet browse propagation that have been added in Samba +but which are not standard in Microsoft implementations. + +The first enhancement to browse propagation consists of a regular +wildcard query to a Samba WINS server for all Domain Master Browsers, +followed by a browse synchronization with each of the returned +DMBs. The second enhancement consists of a regular randomised browse +synchronization with all currently known DMBs. + +You may wish to disable this option if you have a problem with empty +workgroups not disappearing from browse lists. Due to the restrictions +of the browse protocols these enhancements can cause a empty workgroup +to stay around forever which can be annoying. + +In general you should leave this option enabled as it makes +cross-subnet browse propagation much more reliable. + +Default: \fBenhanced browsing = yes\fR +.TP +\fBenumports command (G)\fR +The concept of a "port" is fairly foreign +to UNIX hosts. Under Windows NT/2000 print servers, a port +is associated with a port monitor and generally takes the form of +a local port (i.e. LPT1:, COM1:, FILE:) or a remote port +(i.e. LPD Port Monitor, etc...). By default, Samba has only one +port defined--"Samba Printer Port". Under +Windows NT/2000, all printers must have a valid port name. +If you wish to have a list of ports displayed (\fBsmbd +\fRdoes not use a port name for anything) other than +the default "Samba Printer Port", you +can define \fIenumports command\fR to point to +a program which should generate a list of ports, one per line, +to standard output. This listing will then be used in response +to the level 1 and 2 EnumPorts() RPC. + +Default: \fBno enumports command\fR + +Example: \fBenumports command = /usr/bin/listports +\fR.TP +\fBexec (S)\fR +This is a synonym for \fIpreexec\fR. +.TP +\fBfake directory create times (S)\fR +NTFS and Windows VFAT file systems keep a create +time for all files and directories. This is not the same as the +ctime - status change time - that Unix keeps, so Samba by default +reports the earliest of the various times Unix does keep. Setting +this parameter for a share causes Samba to always report midnight +1-1-1980 as the create time for directories. + +This option is mainly used as a compatibility option for +Visual C++ when used against Samba shares. Visual C++ generated +makefiles have the object directory as a dependency for each object +file, and a make rule to create the directory. Also, when NMAKE +compares timestamps it uses the creation time when examining a +directory. Thus the object directory will be created if it does not +exist, but once it does exist it will always have an earlier +timestamp than the object files it contains. + +However, Unix time semantics mean that the create time +reported by Samba will be updated whenever a file is created or +or deleted in the directory. NMAKE finds all object files in +the object directory. The timestamp of the last one built is then +compared to the timestamp of the object directory. If the +directory's timestamp if newer, then all object files +will be rebuilt. Enabling this option +ensures directories always predate their contents and an NMAKE build +will proceed as expected. + +Default: \fBfake directory create times = no\fR +.TP +\fBfake oplocks (S)\fR +Oplocks are the way that SMB clients get permission +from a server to locally cache file operations. If a server grants +an oplock (opportunistic lock) then the client is free to assume +that it is the only one accessing the file and it will aggressively +cache file data. With some oplock types the client may even cache +file open/close operations. This can give enormous performance benefits. + +When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fRwill +always grant oplock requests no matter how many clients are using +the file. + +It is generally much better to use the real \fIoplocks\fR support rather +than this parameter. + +If you enable this option on all read-only shares or +shares that you know will only be accessed from one client at a +time such as physically read-only media like CDROMs, you will see +a big performance improvement on many operations. If you enable +this option on shares where multiple clients may be accessing the +files read-write at the same time you can get data corruption. Use +this option carefully! + +Default: \fBfake oplocks = no\fR +.TP +\fBfollow symlinks (S)\fR +This parameter allows the Samba administrator +to stop \fBsmbd(8)\fR +from following symbolic links in a particular share. Setting this +parameter to no prevents any file or directory +that is a symbolic link from being followed (the user will get an +error). This option is very useful to stop users from adding a +symbolic link to \fI/etc/passwd\fR in their home +directory for instance. However it will slow filename lookups +down slightly. + +This option is enabled (i.e. \fBsmbd\fR will +follow symbolic links) by default. + +Default: \fBfollow symlinks = yes\fR +.TP +\fBforce create mode (S)\fR +This parameter specifies a set of UNIX mode bit +permissions that will \fBalways\fR be set on a +file created by Samba. This is done by bitwise 'OR'ing these bits onto +the mode bits of a file that is being created or having its +permissions changed. The default for this parameter is (in octal) +000. The modes in this parameter are bitwise 'OR'ed onto the file +mode after the mask set in the \fIcreate mask\fR +parameter is applied. + +See also the parameter \fIcreate +mask\fR for details on masking mode bits on files. + +See also the \fIinherit +permissions\fR parameter. + +Default: \fBforce create mode = 000\fR + +Example: \fBforce create mode = 0755\fR + +would force all created files to have read and execute +permissions set for 'group' and 'other' as well as the +read/write/execute bits set for the 'user'. +.TP +\fBforce directory mode (S)\fR +This parameter specifies a set of UNIX mode bit +permissions that will \fBalways\fR be set on a directory +created by Samba. This is done by bitwise 'OR'ing these bits onto the +mode bits of a directory that is being created. The default for this +parameter is (in octal) 0000 which will not add any extra permission +bits to a created directory. This operation is done after the mode +mask in the parameter \fIdirectory mask\fR is +applied. + +See also the parameter \fI directory mask\fR for details on masking mode bits +on created directories. + +See also the \fI inherit permissions\fR parameter. + +Default: \fBforce directory mode = 000\fR + +Example: \fBforce directory mode = 0755\fR + +would force all created directories to have read and execute +permissions set for 'group' and 'other' as well as the +read/write/execute bits set for the 'user'. +.TP +\fBforce directory security mode (S)\fR +This parameter controls what UNIX permission bits +can be modified when a Windows NT client is manipulating the UNIX +permission on a directory using the native NT security dialog box. + +This parameter is applied as a mask (OR'ed with) to the +changed permission bits, thus forcing any bits in this mask that +the user may have modified to be on. Essentially, one bits in this +mask may be treated as a set of bits that, when modifying security +on a directory, the user has always set to be 'on'. + +If not set explicitly this parameter is 000, which +allows a user to modify all the user/group/world permissions on a +directory without restrictions. + +\fBNote\fR that users who can access the +Samba server through other means can easily bypass this restriction, +so it is primarily useful for standalone "appliance" systems. +Administrators of most normal systems will probably want to leave +it set as 0000. + +See also the \fI directory security mask\fR, \fIsecurity mask\fR, +\fIforce security mode +\fRparameters. + +Default: \fBforce directory security mode = 0\fR + +Example: \fBforce directory security mode = 700\fR +.TP +\fBforce group (S)\fR +This specifies a UNIX group name that will be +assigned as the default primary group for all users connecting +to this service. This is useful for sharing files by ensuring +that all access to files on service will use the named group for +their permissions checking. Thus, by assigning permissions for this +group to the files and directories within this service the Samba +administrator can restrict or allow sharing of these files. + +In Samba 2.0.5 and above this parameter has extended +functionality in the following way. If the group name listed here +has a '+' character prepended to it then the current user accessing +the share only has the primary group default assigned to this group +if they are already assigned as a member of that group. This allows +an administrator to decide that only users who are already in a +particular group will create files with group ownership set to that +group. This gives a finer granularity of ownership assignment. For +example, the setting \fIforce group = +sys\fR means +that only users who are already in group sys will have their default +primary group assigned to sys when accessing this Samba share. All +other users will retain their ordinary primary group. + +If the \fIforce user +\fRparameter is also set the group specified in +\fIforce group\fR will override the primary group +set in \fIforce user\fR. + +See also \fIforce +user\fR. + +Default: \fBno forced group\fR + +Example: \fBforce group = agroup\fR +.TP +\fBforce security mode (S)\fR +This parameter controls what UNIX permission +bits can be modified when a Windows NT client is manipulating +the UNIX permission on a file using the native NT security dialog +box. + +This parameter is applied as a mask (OR'ed with) to the +changed permission bits, thus forcing any bits in this mask that +the user may have modified to be on. Essentially, one bits in this +mask may be treated as a set of bits that, when modifying security +on a file, the user has always set to be 'on'. + +If not set explicitly this parameter is set to 0, +and allows a user to modify all the user/group/world permissions on a file, +with no restrictions. + +\fBNote\fR that users who can access +the Samba server through other means can easily bypass this restriction, +so it is primarily useful for standalone "appliance" systems. +Administrators of most normal systems will probably want to leave +this set to 0000. + +See also the \fI force directory security mode\fR, +\fIdirectory security +mask\fR, \fI security mask\fR parameters. + +Default: \fBforce security mode = 0\fR + +Example: \fBforce security mode = 700\fR +.TP +\fBforce user (S)\fR +This specifies a UNIX user name that will be +assigned as the default user for all users connecting to this service. +This is useful for sharing files. You should also use it carefully +as using it incorrectly can cause security problems. + +This user name only gets used once a connection is established. +Thus clients still need to connect as a valid user and supply a +valid password. Once connected, all file operations will be performed +as the "forced user", no matter what username the client connected +as. This can be very useful. + +In Samba 2.0.5 and above this parameter also causes the +primary group of the forced user to be used as the primary group +for all file activity. Prior to 2.0.5 the primary group was left +as the primary group of the connecting user (this was a bug). + +See also \fIforce group +\fR +Default: \fBno forced user\fR + +Example: \fBforce user = auser\fR +.TP +\fBfstype (S)\fR +This parameter allows the administrator to +configure the string that specifies the type of filesystem a share +is using that is reported by \fBsmbd(8) +\fRwhen a client queries the filesystem type +for a share. The default type is NTFS for +compatibility with Windows NT but this can be changed to other +strings such as Samba or FAT +if required. + +Default: \fBfstype = NTFS\fR + +Example: \fBfstype = Samba\fR +.TP +\fBgetwd cache (G)\fR +This is a tuning option. When this is enabled a +caching algorithm will be used to reduce the time taken for getwd() +calls. This can have a significant impact on performance, especially +when the \fIwide links\fR +parameter is set to false. + +Default: \fBgetwd cache = yes\fR +.TP +\fBgroup (S)\fR +Synonym for \fIforce +group\fR. +.TP +\fBguest account (S)\fR +This is a username which will be used for access +to services which are specified as \fI guest ok\fR (see below). Whatever privileges this +user has will be available to any client connecting to the guest service. +Typically this user will exist in the password file, but will not +have a valid login. The user account "ftp" is often a good choice +for this parameter. If a username is specified in a given service, the specified username overrides this one. -One some systems the account "nobody" may not be able to print. Use -another account in this case. You should test this by trying to log in -as your guest user (perhaps by using the "su -" command) and trying to -print using lpr. - -Note that as of version 1.9 of Samba this option may be set -differently for each service. - -.B Default: - specified at compile time - -.B Example: - guest account = nobody -.SS getwd cache (G) -This is a tuning option. When this is enabled a cacheing algorithm will -be used to reduce the time taken for getwd() calls. This can have a -significant impact on performance, especially when widelinks is False. - -.B Default: - getwd cache = No - -.B Example: - getwd cache = Yes -.SS guest ok (S) -See -.B public. -.SS guest only (S) -If this parameter is 'yes' for a service, then only guest connections to the -service are permitted. This parameter will have no affect if "guest ok" or -"public" is not set for the service. - -See the section below on user/password validation for more information about -this option. - -.B Default: - guest only = no - -.B Example: - guest only = yes -.SS hide dot files (S) -This is a boolean parameter that controls whether files starting with -a dot appear as hidden files. - -.B Default: - hide dot files = yes - -.B Example: - hide dot files = no -.SS hosts allow (S) -See -.B allow hosts. -.SS hosts deny (S) -See -.B deny hosts. - -.SS group (S) -This is an alias for "force group" and is only kept for compatability -with old versions of Samba. It may be removed in future versions. - -.SS hosts equiv (G) -If this global parameter is a non-null string, it specifies the name of -a file to read for the names of hosts and users who will be allowed access -without specifying a password. - -This is not be confused with -.B allow hosts -which is about hosts access to services and is more useful for guest services. -.B hosts equiv -may be useful for NT clients which will not supply passwords to samba. - -NOTE: The use of hosts.equiv can be a major security hole. This is -because you are trusting the PC to supply the correct username. It is -very easy to get a PC to supply a false username. I recommend that the -hosts.equiv option be only used if you really know what you are doing, -or perhaps on a home network where you trust your wife and kids :-) - -.B Default - No host equivalences - -.B Example - hosts equiv = /etc/hosts.equiv - -.SS invalid users (S) -This is a list of users that should not be allowed to login to this -service. This is really a "paranoid" check to absolutely ensure an -improper setting does not breach your security. - -A name starting with @ is interpreted as a unix group. - -The current servicename is substituted for %S. This is useful in the -[homes] section. - -See also "valid users" - -.B Default - No invalid users - -.B Example - invalid users = root fred admin @wheel - -.SS include (G) - -This allows you to inlcude one config file inside another. the file is -included literally, as though typed in place. - -It takes the standard substitutions, except %u, %P and %S - -.SS keep alive (G) -The value of the parameter (an integer) represents the number of seconds -between 'keepalive' packets. If this parameter is zero, no keepalive packets -will be sent. Keepalive packets, if sent, allow the server to tell whether a -client is still present and responding. - -Keepalives should, in general, not be needed if the socket being used -has the SO_KEEPALIVE attribute set on it (see "socket -options"). Basically you should only use this option if you strike -difficulties. - -.B Default: - keep alive = 0 - -.B Example: - keep alive = 60 -.SS load printers (G) -A boolean variable that controls whether all printers in the printcap -will be loaded for browsing by default. - -.B Default: - load printers = no - -.B Example: - load printers = yes - -.SS lock directory (G) -This options specifies the directory where lock files will be placed. -The lock files are used to implement the "max connections" option. - -.B Default: - lock directory = /tmp/samba - -.B Example: - lock directory = /usr/local/samba/locks -.SS locking (S) -This controls whether or not locking will be performed by the server in -response to lock requests from the client. - -If "locking = no", all lock and unlock requests will appear to succeed and -all lock queries will indicate that the queried lock is clear. - -If "locking = yes", real locking will be performed by the server. - -This option may be particularly useful for read-only filesystems which -do not need locking (such as cdrom drives). - -Be careful about disabling locking either globally or in a specific -service, as lack of locking may result in data corruption. - -.B Default: - locking = yes - -.B Example: - locking = no - -.SS log file (G) - -This options allows you to override the name of the Samba log file -(also known as the debug file). - -This option takes the standard substitutions, allowing you to have -separate log files for each user or machine. - -.B Example: - log file = /usr/local/samba/log.%m - -.SS log level (G) -see "debug level" - -.SS lppause command (S) -This parameter specifies the command to be executed on the server host in -order to stop printing or spooling a specific print job. +One some systems the default guest account "nobody" may not +be able to print. Use another account in this case. You should test +this by trying to log in as your guest user (perhaps by using the +\fBsu -\fR command) and trying to print using the +system print command such as \fBlpr(1)\fR or \fB lp(1)\fR. + +Default: \fBspecified at compile time, usually +"nobody"\fR + +Example: \fBguest account = ftp\fR +.TP +\fBguest ok (S)\fR +If this parameter is yes for +a service, then no password is required to connect to the service. +Privileges will be those of the \fI guest account\fR. + +See the section below on \fI security\fR for more information about this option. + +Default: \fBguest ok = no\fR +.TP +\fBguest only (S)\fR +If this parameter is yes for +a service, then only guest connections to the service are permitted. +This parameter will have no effect if \fIguest ok\fR is not set for the service. + +See the section below on \fI security\fR for more information about this option. + +Default: \fBguest only = no\fR +.TP +\fBhide dot files (S)\fR +This is a boolean parameter that controls whether +files starting with a dot appear as hidden files. + +Default: \fBhide dot files = yes\fR +.TP +\fBhide files(S)\fR +This is a list of files or directories that are not +visible but are accessible. The DOS 'hidden' attribute is applied +to any files or directories that match. + +Each entry in the list must be separated by a '/', +which allows spaces to be included in the entry. '*' +and '?' can be used to specify multiple files or directories +as in DOS wildcards. + +Each entry must be a Unix path, not a DOS path and must +not include the Unix directory separator '/'. + +Note that the case sensitivity option is applicable +in hiding files. + +Setting this parameter will affect the performance of Samba, +as it will be forced to check all files and directories for a match +as they are scanned. + +See also \fIhide +dot files\fR, \fI veto files\fR and \fIcase sensitive\fR. + +Default: \fBno file are hidden\fR + +Example: \fBhide files = +/.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR + +The above example is based on files that the Macintosh +SMB client (DAVE) available from +Thursby <URL:http://www.thursby.com> creates for internal use, and also still hides +all files beginning with a dot. +.TP +\fBhide local users(G)\fR +This parameter toggles the hiding of local UNIX +users (root, wheel, floppy, etc) from remote clients. + +Default: \fBhide local users = no\fR +.TP +\fBhide unreadable (S)\fR +This parameter prevents clients from seeing the +existance of files that cannot be read. Defaults to off. + +Default: \fBhide unreadable = no\fR +.TP +\fBhomedir map (G)\fR +If\fInis homedir +\fRis true, and \fBsmbd(8)\fRis also acting +as a Win95/98 \fIlogon server\fR then this parameter +specifies the NIS (or YP) map from which the server for the user's +home directory should be extracted. At present, only the Sun +auto.home map format is understood. The form of the map is: + +\fBusername server:/some/file/system\fR + +and the program will extract the servername from before +the first ':'. There should probably be a better parsing system +that copes with different map formats and also Amd (another +automounter) maps. + +\fBNOTE :\fRA working NIS client is required on +the system for this option to work. + +See also \fInis homedir\fR +, \fIdomain logons\fR +\&. + +Default: \fBhomedir map = <empty string>\fR + +Example: \fBhomedir map = amd.homedir\fR +.TP +\fBhost msdfs (G)\fR +This boolean parameter is only available +if Samba has been configured and compiled with the \fB --with-msdfs\fR option. If set to yes, +Samba will act as a Dfs server, and allow Dfs-aware clients +to browse Dfs trees hosted on the server. + +See also the \fI msdfs root\fR share level parameter. For +more information on setting up a Dfs tree on Samba, +refer to msdfs_setup.html. + +Default: \fBhost msdfs = no\fR +.TP +\fBhosts allow (S)\fR +A synonym for this parameter is \fIallow +hosts\fR. + +This parameter is a comma, space, or tab delimited +set of hosts which are permitted to access a service. + +If specified in the [global] section then it will +apply to all services, regardless of whether the individual +service has a different setting. + +You can specify the hosts by name or IP number. For +example, you could restrict access to only the hosts on a +Class C subnet with something like \fBallow hosts = 150.203.5. +\fR\&. The full syntax of the list is described in the man +page \fIhosts_access(5)\fR. Note that this man +page may not be present on your system, so a brief description will +be given here also. + +Note that the localhost address 127.0.0.1 will always +be allowed access unless specifically denied by a \fIhosts deny\fR option. + +You can also specify hosts by network/netmask pairs and +by netgroup names if your system supports netgroups. The +\fBEXCEPT\fR keyword can also be used to limit a +wildcard list. The following examples may provide some help: + +Example 1: allow all IPs in 150.203.*.*; except one + +\fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR -This command should be a program or script which takes a printer name and -job number to pause the print job. Currently I don't know of any print -spooler system that can do this with a simple option, except for the PPR -system from Trinity College (ppr\-dist.trincoll.edu/pub/ppr). One way -of implementing this is by using job priorities, where jobs having a too -low priority wont be sent to the printer. See also the lppause command. - -If a %p is given then the printername is put in it's place. A %j is -replaced with the job number (an integer). -On HPUX (see printing=hpux), if the -p%p option is added to the lpq -command, the job will show up with the correct status, i.e. if the job -priority is lower than the set fence priority it will have the PAUSED -status, whereas if the priority is equal or higher it will have the -SPOOLED or PRINTING status. - -Note that it is good practice to include the absolute path in the lppause -command as the PATH may not be available to the server. - -.B Default: - Currently no default value is given to this string - -.B Example for HPUX: - lppause command = /usr/bin/lpalt %p-%j -p0 - -.SS lpq cache time (G) - -This controls how long lpq info will be cached for to prevent the lpq -command being called too often. A separate cache is kept for each -variation of the lpq command used by the system, so if you use -different lpq commands for different users then they won't share cache -information. - -The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash -of the lpq command in use. - -The default is 10 seconds, meaning that the cached results of a -previous identical lpq command will be used if the cached data is less -than 10 seconds old. A large value may be advisable if your lpq -command is very slow. - -A value of 0 will disable cacheing completely. - -.B Default: - lpq cache time = 10 - -.B Example: - lpq cache time = 30 - -.SS lpq command (S) -This parameter specifies the command to be executed on the server host in -order to obtain "lpq"-style printer status information. - -This command should be a program or script which takes a printer name -as its only parameter and outputs printer status information. - -Currently four styles of printer status information are supported; -BSD, SYSV, AIX and HPUX. This covers most unix systems. You control -which type is expected using the "printing =" option. - -Some clients (notably Windows for Workgroups) may not correctly send the -connection number for the printer they are requesting status information -about. To get around this, the server reports on the first printer service -connected to by the client. This only happens if the connection number sent -is invalid. - -If a %p is given then the printername is put in it's place. Otherwise -it is placed at the end of the command. - -Note that it is good practice to include the absolute path in the lpq -command as the PATH may not be available to the server. - -.B Default: - depends on the setting of "printing =" - -.B Example: - lpq command = /usr/bin/lpq %p - -.SS lpresume command (S) -This parameter specifies the command to be executed on the server host in -order to restart or continue printing or spooling a specific print job. - -This command should be a program or script which takes a printer name and -job number to resume the print job. See also the lppause command. - -If a %p is given then the printername is put in it's place. A %j is -replaced with the job number (an integer). - -Note that it is good practice to include the absolute path in the lpresume -command as the PATH may not be available to the server. - -.B Default: - Currently no default value is given to this string - -.B Example for HPUX: - lpresume command = /usr/bin/lpalt %p-%j -p2 - -.SS lprm command (S) -This parameter specifies the command to be executed on the server host in -order to delete a print job. - -This command should be a program or script which takes a printer name -and job number, and deletes the print job. - -Currently four styles of printer control are supported; BSD, SYSV, AIX -and HPUX. This covers most unix systems. You control which type is -expected using the "printing =" option. - -If a %p is given then the printername is put in it's place. A %j is -replaced with the job number (an integer). - -Note that it is good practice to include the absolute path in the lprm -command as the PATH may not be available to the server. - -.B Default: - depends on the setting of "printing =" - -.B Example 1: - lprm command = /usr/bin/lprm -P%p %j - -.B Example 2: - lprm command = /usr/bin/cancel %p-%j - -.SS magic output (S) -This parameter specifies the name of a file which will contain output -created by a magic script (see -.I magic script -below). - -Warning: If two clients use the same magic script in the same directory the -output file content is undefined. -.B Default: - magic output = <magic script name>.out - -.B Example: - magic output = myfile.txt -.SS magic script (S) -This parameter specifies the name of a file which, if opened, will be -executed by the server when the file is closed. This allows a Unix script -to be sent to the Samba host and executed on behalf of the connected user. - -Scripts executed in this way will be deleted upon completion, permissions -permitting. - -If the script generates output, output will be sent to the file specified by -the -.I magic output -parameter (see above). - -Note that some shells are unable to interpret scripts containing -carriage-return-linefeed instead of linefeed as the end-of-line -marker. Magic scripts must be executable "as is" on the host, which -for some hosts and some shells will require filtering at the DOS end. - -Magic scripts are EXPERIMENTAL and should NOT be relied upon. -.B Default: - None. Magic scripts disabled. - -.B Example: - magic script = user.csh -.SS mangled map (S) -This is for those who want to directly map UNIX file names which are -not representable on DOS. The mangling of names is not always what is -needed. In particular you may have documents with file extensiosn -that differ between dos and unix. For example, under unix it is common -to use .html for HTML files, whereas under dos .htm is more commonly -used. - -So to map 'html' to 'htm' you put: - - mangled map = (*.html *.htm) +Example 2: allow hosts that match the given network/netmask -One very useful case is to remove the annoying ;1 off the ends of -filenames on some CDROMS (only visible under some unixes). To do this -use a map of (*;1 *) +\fBhosts allow = 150.203.15.0/255.255.255.0\fR -.B default: - no mangled map +Example 3: allow a couple of hosts -.B Example: - mangled map = (*;1 *) +\fBhosts allow = lapland, arvidsjaur\fR -.SS mangle case (S) +Example 4: allow only hosts in NIS netgroup "foonet", but +deny access from one particular host -See the section on "NAME MANGLING" +\fBhosts allow = @foonet\fR -.SS mangled names (S) -This controls whether non-DOS names under Unix should be mapped to -DOS-compatible names ("mangled") and made visible, or whether non-DOS names -should simply be ignored. +\fBhosts deny = pirate\fR -See the section on "NAME MANGLING" for details on how to control the -mangling process. +Note that access still requires suitable user-level passwords. -If mangling is used then the mangling algorithm is as follows: +See \fBtestparm(1)\fR +for a way of testing your host access to see if it does +what you expect. + +Default: \fBnone (i.e., all hosts permitted access) +\fR +Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au +\fR.TP +\fBhosts deny (S)\fR +The opposite of \fIhosts allow\fR +- hosts listed here are \fBNOT\fR permitted access to +services unless the specific services have their own lists to override +this one. Where the lists conflict, the \fIallow\fR +list takes precedence. + +Default: \fBnone (i.e., no hosts specifically excluded) +\fR +Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au +\fR.TP +\fBhosts equiv (G)\fR +If this global parameter is a non-null string, +it specifies the name of a file to read for the names of hosts +and users who will be allowed access without specifying a password. + +This is not be confused with \fIhosts allow\fR which is about hosts +access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will +not supply passwords to Samba. + +\fBNOTE :\fR The use of \fIhosts equiv +\fRcan be a major security hole. This is because you are +trusting the PC to supply the correct username. It is very easy to +get a PC to supply a false username. I recommend that the +\fIhosts equiv\fR option be only used if you really +know what you are doing, or perhaps on a home network where you trust +your spouse and kids. And only if you \fBreally\fR trust +them :-). + +Default: \fBno host equivalences\fR + +Example: \fBhosts equiv = /etc/hosts.equiv\fR +.TP +\fBinclude (G)\fR +This allows you to include one config file +inside another. The file is included literally, as though typed +in place. + +It takes the standard substitutions, except \fI%u +\fR, \fI%P\fR and \fI%S\fR. + +Default: \fBno file included\fR + +Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf +\fR.TP +\fBinherit permissions (S)\fR +The permissions on new files and directories +are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR +and \fIforce +directory mode\fR but the boolean inherit +permissions parameter overrides this. + +New directories inherit the mode of the parent directory, +including bits such as setgid. + +New files inherit their read/write bits from the parent +directory. Their execute bits continue to be determined by +\fImap archive\fR +, \fImap hidden\fR +and \fImap system\fR +as usual. + +Note that the setuid bit is \fBnever\fR set via +inheritance (the code explicitly prohibits this). + +This can be particularly useful on large systems with +many users, perhaps several thousand, to allow a single [homes] +share to be used flexibly by each user. + +See also \fIcreate mask +\fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR +\&. + +Default: \fBinherit permissions = no\fR +.TP +\fBinterfaces (G)\fR +This option allows you to override the default +network interfaces list that Samba will use for browsing, name +registration and other NBT traffic. By default Samba will query +the kernel for the list of all active interfaces and use any +interfaces except 127.0.0.1 that are broadcast capable. + +The option takes a list of interface strings. Each string +can be in any of the following forms: .RS -- the first (up to) five alphanumeric characters before the rightmost dot of -the filename are preserved, forced to upper case, and appear as the first (up -to) five characters of the mangled name. - -- a tilde ("~") is appended to the first part of the mangled name, followed -by a two-character unique sequence, based on the origonal root name -(i.e., the original filename minus its final extension). The final -extension is included in the hash calculation only if it contains any upper -case characters or is longer than three characters. - -Note that the character to use may be specified using the "mangling -char" option, if you don't like ~. - -- the first three alphanumeric characters of the final extension are preserved, -forced to upper case and appear as the extension of the mangled name. The -final extension is defined as that part of the original filename after the -rightmost dot. If there are no dots in the filename, the mangled name will -have no extension (except in the case of hidden files - see below). - -- files whose Unix name begins with a dot will be presented as DOS hidden -files. The mangled name will be created as for other filenames, but with the -leading dot removed and "___" as its extension regardless of actual original -extension (that's three underscores). +.TP 0.2i +\(bu +a network interface name (such as eth0). +This may include shell-like wildcards so eth* will match +any interface starting with the substring "eth" +.TP 0.2i +\(bu +an IP address. In this case the netmask is +determined from the list of interfaces obtained from the +kernel +.TP 0.2i +\(bu +an IP/mask pair. +.TP 0.2i +\(bu +a broadcast/mask pair. .RE +.PP +The "mask" parameters can either be a bit length (such +as 24 for a C class network) or a full netmask in dotted +decimal form. +.PP +.PP +The "IP" parameters above can either be a full dotted +decimal IP address or a hostname which will be looked up via +the OS's normal hostname resolution mechanisms. +.PP +.PP +For example, the following line: +.PP +.PP +\fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 +\fR.PP +.PP +would configure three network interfaces corresponding +to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. +The netmasks of the latter two interfaces would be set to 255.255.255.0. +.PP +.PP +See also \fIbind +interfaces only\fR. +.PP +.PP +Default: \fBall active interfaces except 127.0.0.1 +that are broadcast capable\fR +.PP +.TP +\fBinvalid users (S)\fR +This is a list of users that should not be allowed +to login to this service. This is really a \fBparanoid\fR +check to absolutely ensure an improper setting does not breach +your security. + +A name starting with a '@' is interpreted as an NIS +netgroup first (if your system supports NIS), and then as a UNIX +group if the name was not found in the NIS netgroup database. + +A name starting with '+' is interpreted only +by looking in the UNIX group database. A name starting with +\&'&' is interpreted only by looking in the NIS netgroup database +(this requires NIS to be working on your system). The characters +\&'+' and '&' may be used at the start of the name in either order +so the value \fI+&group\fR means check the +UNIX group database, followed by the NIS netgroup database, and +the value \fI&+group\fR means check the NIS +netgroup database, followed by the UNIX group database (the +same as the '@' prefix). + +The current servicename is substituted for \fI%S\fR. +This is useful in the [homes] section. + +See also \fIvalid users +\fR\&. + +Default: \fBno invalid users\fR + +Example: \fBinvalid users = root fred admin @wheel +\fR.TP +\fBkeepalive (G)\fR +The value of the parameter (an integer) represents +the number of seconds between \fIkeepalive\fR +packets. If this parameter is zero, no keepalive packets will be +sent. Keepalive packets, if sent, allow the server to tell whether +a client is still present and responding. + +Keepalives should, in general, not be needed if the socket +being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR). +Basically you should only use this option if you strike difficulties. + +Default: \fBkeepalive = 300\fR + +Example: \fBkeepalive = 600\fR +.TP +\fBkernel oplocks (G)\fR +For UNIXes that support kernel based \fIoplocks\fR +(currently only IRIX and the Linux 2.4 kernel), this parameter +allows the use of them to be turned on or off. + +Kernel oplocks support allows Samba \fIoplocks +\fRto be broken whenever a local UNIX process or NFS operation +accesses a file that \fBsmbd(8)\fR +has oplocked. This allows complete data consistency between +SMB/CIFS, NFS and local file access (and is a \fBvery\fR +cool feature :-). + +This parameter defaults to on, but is translated +to a no-op on systems that no not have the necessary kernel support. +You should never need to touch this parameter. + +See also the \fIoplocks\fR +and \fIlevel2 oplocks +\fRparameters. + +Default: \fBkernel oplocks = yes\fR +.TP +\fBlanman auth (G)\fR +This parameter determines whether or not smbdwill +attempt to authenticate users using the LANMAN password hash. +If disabled, only clients which support NT password hashes (e.g. Windows +NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS +network client) will be able to connect to the Samba host. + +Default : \fBlanman auth = yes\fR +.TP +\fBlarge readwrite (G)\fR +This parameter determines whether or not smbd +supports the new 64k streaming read and write varient SMB requests introduced +with Windows 2000. Note that due to Windows 2000 client redirector bugs +this requires Samba to be running on a 64-bit capable operating system such +as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with +Windows 2000 clients. Defaults to on. Not as tested as some other Samba +code paths. + +Default : \fBlarge readwrite = yes\fR +.TP +\fBldap admin dn (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +The \fIldap admin dn\fR defines the Distinguished +Name (DN) name used by Samba to contact the ldap +server when retreiving user account information. The \fIldap +admin dn\fR is used in conjunction with the admin dn password +stored in the \fIprivate/secrets.tdb\fR file. See the +\fBsmbpasswd(8)\fRman +page for more information on how to accmplish this. + +Default : \fBnone\fR +.TP +\fBldap filter (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +This parameter specifies the RFC 2254 compliant LDAP search filter. +The default is to match the login name with the uid +attribute for all entries matching the sambaAccount +objectclass. Note that this filter should only return one entry. + +Default : \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR +.TP +\fBldap port (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +This option is used to control the tcp port number used to contact +the \fIldap server\fR. +The default is to use the stand LDAPS port 636. + +See Also: ldap ssl + +Default : \fBldap port = 636\fR +.TP +\fBldap server (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +This parameter should contains the FQDN of the ldap directory +server which should be queried to locate user account information. + +Default : \fBldap server = localhost\fR +.TP +\fBldap ssl (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +This option is used to define whether or not Samba should +use SSL when connecting to the \fIldap +server\fR. This is \fBNOT\fR related to +Samba SSL support which is enabled by specifying the +\fB--with-ssl\fR option to the \fIconfigure\fR +script (see \fIssl\fR). + +The \fIldap ssl\fR can be set to one of three values: +(a) on - Always use SSL when contacting the +\fIldap server\fR, (b) off - +Never use SSL when querying the directory, or (c) start_tls +- Use the LDAPv3 StartTLS extended operation +(RFC2830) for communicating with the directory server. + +Default : \fBldap ssl = on\fR +.TP +\fBldap suffix (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +Default : \fBnone\fR +.TP +\fBlevel2 oplocks (S)\fR +This parameter controls whether Samba supports +level2 (read-only) oplocks on a share. + +Level2, or read-only oplocks allow Windows NT clients +that have an oplock on a file to downgrade from a read-write oplock +to a read-only oplock once a second client opens the file (instead +of releasing all oplocks on a second open, as in traditional, +exclusive oplocks). This allows all openers of the file that +support level2 oplocks to cache the file for read-ahead only (ie. +they may not cache writes or lock requests) and increases performance +for many accesses of files that are not commonly written (such as +application .EXE files). + +Once one of the clients which have a read-only oplock +writes to the file all clients are notified (no reply is needed +or waited for) and told to break their oplocks to "none" and +delete any read-ahead caches. + +It is recommended that this parameter be turned on +to speed access to shared executables. + +For more discussions on level2 oplocks see the CIFS spec. + +Currently, if \fIkernel +oplocks\fR are supported then level2 oplocks are +not granted (even if this parameter is set to yes). +Note also, the \fIoplocks\fR +parameter must be set to true on this share in order for +this parameter to have any effect. + +See also the \fIoplocks\fR +and \fIkernel oplocks\fR +parameters. + +Default: \fBlevel2 oplocks = yes\fR +.TP +\fBlm announce (G)\fR +This parameter determines if \fBnmbd(8)\fRwill produce Lanman announce +broadcasts that are needed by OS/2 clients in order for them to see +the Samba server in their browse list. This parameter can have three +values, true, false, or +auto. The default is auto. +If set to false Samba will never produce these +broadcasts. If set to true Samba will produce +Lanman announce broadcasts at a frequency set by the parameter +\fIlm interval\fR. If set to auto +Samba will not send Lanman announce broadcasts by default but will +listen for them. If it hears such a broadcast on the wire it will +then start sending them at a frequency set by the parameter +\fIlm interval\fR. + +See also \fIlm interval +\fR\&. + +Default: \fBlm announce = auto\fR + +Example: \fBlm announce = yes\fR +.TP +\fBlm interval (G)\fR +If Samba is set to produce Lanman announce +broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this +parameter defines the frequency in seconds with which they will be +made. If this is set to zero then no Lanman announcements will be +made despite the setting of the \fIlm announce\fR +parameter. + +See also \fIlm +announce\fR. + +Default: \fBlm interval = 60\fR + +Example: \fBlm interval = 120\fR +.TP +\fBload printers (G)\fR +A boolean variable that controls whether all +printers in the printcap will be loaded for browsing by default. +See the printers section for +more details. + +Default: \fBload printers = yes\fR +.TP +\fBlocal master (G)\fR +This option allows \fB nmbd(8)\fRto try and become a local master browser +on a subnet. If set to false then \fB nmbd\fR will not attempt to become a local master browser +on a subnet and will also lose in all browsing elections. By +default this value is set to true. Setting this value to true doesn't +mean that Samba will \fBbecome\fR the local master +browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser. + +Setting this value to false will cause \fBnmbd\fR +\fBnever\fR to become a local master browser. + +Default: \fBlocal master = yes\fR +.TP +\fBlock dir (G)\fR +Synonym for \fI lock directory\fR. +.TP +\fBlock directory (G)\fR +This option specifies the directory where lock +files will be placed. The lock files are used to implement the +\fImax connections\fR +option. + +Default: \fBlock directory = ${prefix}/var/locks\fR + +Example: \fBlock directory = /var/run/samba/locks\fR +.TP +\fBlocking (S)\fR +This controls whether or not locking will be +performed by the server in response to lock requests from the +client. + +If \fBlocking = no\fR, all lock and unlock +requests will appear to succeed and all lock queries will report +that the file in question is available for locking. + +If \fBlocking = yes\fR, real locking will be performed +by the server. + +This option \fBmay\fR be useful for read-only +filesystems which \fBmay\fR not need locking (such as +CDROM drives), although setting this parameter of no +is not really recommended even in this case. + +Be careful about disabling locking either globally or in a +specific service, as lack of locking may result in data corruption. +You should never need to set this parameter. + +Default: \fBlocking = yes\fR +.TP +\fBlog file (G)\fR +This option allows you to override the name +of the Samba log file (also known as the debug file). + +This option takes the standard substitutions, allowing +you to have separate log files for each user or machine. + +Example: \fBlog file = /usr/local/samba/var/log.%m +\fR.TP +\fBlog level (G)\fR +The value of the parameter (an integer) allows +the debug level (logging level) to be specified in the +\fIsmb.conf\fR file. This is to give greater +flexibility in the configuration of the system. + +The default will be the log level specified on +the command line or level zero if none was specified. + +Example: \fBlog level = 3\fR +.TP +\fBlogon drive (G)\fR +This parameter specifies the local path to +which the home directory will be connected (see \fIlogon home\fR) +and is only used by NT Workstations. + +Note that this option is only useful if Samba is set up as a +logon server. + +Default: \fBlogon drive = z:\fR + +Example: \fBlogon drive = h:\fR +.TP +\fBlogon home (G)\fR +This parameter specifies the home directory +location when a Win95/98 or NT Workstation logs into a Samba PDC. +It allows you to do + +C:\\> \fBNET USE H: /HOME\fR + +from a command prompt, for example. + +This option takes the standard substitutions, allowing +you to have separate logon scripts for each user or machine. + +This parameter can be used with Win9X workstations to ensure +that roaming profiles are stored in a subdirectory of the user's +home directory. This is done in the following way: + +\fBlogon home = \\\\%N\\%U\\profile\fR + +This tells Samba to return the above string, with +substitutions made when a client requests the info, generally +in a NetUserGetInfo request. Win9X clients truncate the info to +\\\\server\\share when a user does \fBnet use /home\fR +but use the whole string when dealing with profiles. + +Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than +\fIlogon home\fR. This broke \fBnet use +/home\fR but allowed profiles outside the home directory. +The current implementation is correct, and can be used for +profiles if you use the above trick. + +This option is only useful if Samba is set up as a logon +server. -The two-digit hash value consists of upper case alphanumeric characters. - -This algorithm can cause name collisions only if files in a directory share -the same first five alphanumeric characters. The probability of such a clash -is 1/1300. - -The name mangling (if enabled) allows a file to be copied between Unix -directories from DOS while retaining the long Unix filename. Unix files can -be renamed to a new extension from DOS and will retain the same basename. -Mangled names do not change between sessions. - -.B Default: - mangled names = yes - -.B Example: - mangled names = no -.SS mangling char (S) -This controls what character is used as the "magic" character in name -mangling. The default is a ~ but this may interfere with some -software. Use this option to set it to whatever you prefer. +Default: \fBlogon home = "\\\\%N\\%U"\fR + +Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR +.TP +\fBlogon path (G)\fR +This parameter specifies the home directory +where roaming profiles (NTuser.dat etc files for Windows NT) are +stored. Contrary to previous versions of these manual pages, it has +nothing to do with Win 9X roaming profiles. To find out how to +handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter. + +This option takes the standard substitutions, allowing you +to have separate logon scripts for each user or machine. It also +specifies the directory from which the "Application Data", +(\fIdesktop\fR, \fIstart menu\fR, +\fInetwork neighborhood\fR, \fIprograms\fR +and other folders, and their contents, are loaded and displayed on +your Windows NT client. + +The share and the path must be readable by the user for +the preferences and directories to be loaded onto the Windows NT +client. The share must be writeable when the user logs in for the first +time, in order that the Windows NT client can create the NTuser.dat +and other directories. + +Thereafter, the directories and any of the contents can, +if required, be made read-only. It is not advisable that the +NTuser.dat file be made read-only - rename it to NTuser.man to +achieve the desired effect (a \fBMAN\fRdatory +profile). + +Windows clients can sometimes maintain a connection to +the [homes] share, even though there is no user logged in. +Therefore, it is vital that the logon path does not include a +reference to the homes share (i.e. setting this parameter to +\\%N\\%U\\profile_path will cause problems). + +This option takes the standard substitutions, allowing +you to have separate logon scripts for each user or machine. + +Note that this option is only useful if Samba is set up +as a logon server. + +Default: \fBlogon path = \\\\%N\\%U\\profile\fR + +Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR +.TP +\fBlogon script (G)\fR +This parameter specifies the batch file (.bat) or +NT command file (.cmd) to be downloaded and run on a machine when +a user successfully logs in. The file must contain the DOS +style CR/LF line endings. Using a DOS-style editor to create the +file is recommended. + +The script must be a relative path to the [netlogon] +service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon +\fR, and \fBlogon script = STARTUP.BAT\fR, then +the file that will be downloaded is: + +\fI/usr/local/samba/netlogon/STARTUP.BAT\fR + +The contents of the batch file are entirely your choice. A +suggested command would be to add \fBNET TIME \\\\SERVER /SET +/YES\fR, to force every machine to synchronize clocks with +the same time server. Another use would be to add \fBNET USE +U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example. + +Note that it is particularly important not to allow write +access to the [netlogon] share, or to grant users write permission +on the batch files in a secure environment, as this would allow +the batch files to be arbitrarily modified and security to be +breached. + +This option takes the standard substitutions, allowing you +to have separate logon scripts for each user or machine. + +This option is only useful if Samba is set up as a logon +server. -.B Default: - mangling char = ~ +Default: \fBno logon script defined\fR + +Example: \fBlogon script = scripts\\%U.bat\fR +.TP +\fBlppause command (S)\fR +This parameter specifies the command to be +executed on the server host in order to stop printing or spooling +a specific print job. + +This command should be a program or script which takes +a printer name and job number to pause the print job. One way +of implementing this is by using job priorities, where jobs +having a too low priority won't be sent to the printer. + +If a \fI%p\fR is given then the printer name +is put in its place. A \fI%j\fR is replaced with +the job number (an integer). On HPUX (see \fIprinting=hpux +\fR), if the \fI-p%p\fR option is added +to the lpq command, the job will show up with the correct status, i.e. +if the job priority is lower than the set fence priority it will +have the PAUSED status, whereas if the priority is equal or higher it +will have the SPOOLED or PRINTING status. + +Note that it is good practice to include the absolute path +in the lppause command as the PATH may not be available to the server. + +See also the \fIprinting +\fRparameter. + +Default: Currently no default value is given to +this string, unless the value of the \fIprinting\fR +parameter is SYSV, in which case the default is : + +\fBlp -i %p-%j -H hold\fR + +or if the value of the \fIprinting\fR parameter +is SOFTQ, then the default is: + +\fBqstat -s -j%j -h\fR + +Example for HPUX: \fBlppause command = /usr/bin/lpalt +%p-%j -p0\fR +.TP +\fBlpq cache time (G)\fR +This controls how long lpq info will be cached +for to prevent the \fBlpq\fR command being called too +often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different +\fBlpq\fR commands for different users then they won't +share cache information. + +The cache files are stored in \fI/tmp/lpq.xxxx\fR +where xxxx is a hash of the \fBlpq\fR command in use. + +The default is 10 seconds, meaning that the cached results +of a previous identical \fBlpq\fR command will be used +if the cached data is less than 10 seconds old. A large value may +be advisable if your \fBlpq\fR command is very slow. + +A value of 0 will disable caching completely. + +See also the \fIprinting +\fRparameter. + +Default: \fBlpq cache time = 10\fR + +Example: \fBlpq cache time = 30\fR +.TP +\fBlpq command (S)\fR +This parameter specifies the command to be +executed on the server host in order to obtain \fBlpq +\fR-style printer status information. + +This command should be a program or script which +takes a printer name as its only parameter and outputs printer +status information. + +Currently eight styles of printer status information +are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. +This covers most UNIX systems. You control which type is expected +using the \fIprinting =\fR option. + +Some clients (notably Windows for Workgroups) may not +correctly send the connection number for the printer they are +requesting status information about. To get around this, the +server reports on the first printer service connected to by the +client. This only happens if the connection number sent is invalid. + +If a \fI%p\fR is given then the printer name +is put in its place. Otherwise it is placed at the end of the +command. -.B Example: - mangling char = ^ +Note that it is good practice to include the absolute path +in the \fIlpq command\fR as the \fB$PATH +\fRmay not be available to the server. + +See also the \fIprinting +\fRparameter. + +Default: \fBdepends on the setting of \fI printing\fB\fR + +Example: \fBlpq command = /usr/bin/lpq -P%p\fR +.TP +\fBlpresume command (S)\fR +This parameter specifies the command to be +executed on the server host in order to restart or continue +printing or spooling a specific print job. + +This command should be a program or script which takes +a printer name and job number to resume the print job. See +also the \fIlppause command +\fRparameter. + +If a \fI%p\fR is given then the printer name +is put in its place. A \fI%j\fR is replaced with +the job number (an integer). + +Note that it is good practice to include the absolute path +in the \fIlpresume command\fR as the PATH may not +be available to the server. + +See also the \fIprinting +\fRparameter. + +Default: Currently no default value is given +to this string, unless the value of the \fIprinting\fR +parameter is SYSV, in which case the default is : + +\fBlp -i %p-%j -H resume\fR + +or if the value of the \fIprinting\fR parameter +is SOFTQ, then the default is: + +\fBqstat -s -j%j -r\fR + +Example for HPUX: \fBlpresume command = /usr/bin/lpalt +%p-%j -p2\fR +.TP +\fBlprm command (S)\fR +This parameter specifies the command to be +executed on the server host in order to delete a print job. + +This command should be a program or script which takes +a printer name and job number, and deletes the print job. + +If a \fI%p\fR is given then the printer name +is put in its place. A \fI%j\fR is replaced with +the job number (an integer). + +Note that it is good practice to include the absolute +path in the \fIlprm command\fR as the PATH may not be +available to the server. + +See also the \fIprinting +\fRparameter. + +Default: \fBdepends on the setting of \fIprinting +\fB\fR +Example 1: \fBlprm command = /usr/bin/lprm -P%p %j +\fR +Example 2: \fBlprm command = /usr/bin/cancel %p-%j +\fR.TP +\fBmachine password timeout (G)\fR +If a Samba server is a member of a Windows +NT Domain (see the security = domain) +parameter) then periodically a running smbd(8)process will try and change the MACHINE ACCOUNT +PASSWORD stored in the TDB called \fIprivate/secrets.tdb +\fR\&. This parameter specifies how often this password +will be changed, in seconds. The default is one week (expressed in +seconds), the same as a Windows NT Domain member server. + +See also \fBsmbpasswd(8) +\fR, and the security = domain) parameter. + +Default: \fBmachine password timeout = 604800\fR +.TP +\fBmagic output (S)\fR +This parameter specifies the name of a file +which will contain output created by a magic script (see the +\fImagic script\fR +parameter below). + +Warning: If two clients use the same \fImagic script +\fRin the same directory the output file content +is undefined. + +Default: \fBmagic output = <magic script name>.out +\fR +Example: \fBmagic output = myfile.txt\fR +.TP +\fBmagic script (S)\fR +This parameter specifies the name of a file which, +if opened, will be executed by the server when the file is closed. +This allows a UNIX script to be sent to the Samba host and +executed on behalf of the connected user. + +Scripts executed in this way will be deleted upon +completion assuming that the user has the appropriate level +of privilege and the file permissions allow the deletion. + +If the script generates output, output will be sent to +the file specified by the \fI magic output\fR parameter (see above). + +Note that some shells are unable to interpret scripts +containing CR/LF instead of CR as +the end-of-line marker. Magic scripts must be executable +\fBas is\fR on the host, which for some hosts and +some shells will require filtering at the DOS end. + +Magic scripts are \fBEXPERIMENTAL\fR and +should \fBNOT\fR be relied upon. + +Default: \fBNone. Magic scripts disabled.\fR + +Example: \fBmagic script = user.csh\fR +.TP +\fBmangle case (S)\fR +See the section on NAME MANGLING + +Default: \fBmangle case = no\fR +.TP +\fBmangled map (S)\fR +This is for those who want to directly map UNIX +file names which cannot be represented on Windows/DOS. The mangling +of names is not always what is needed. In particular you may have +documents with file extensions that differ between DOS and UNIX. +For example, under UNIX it is common to use \fI.html\fR +for HTML files, whereas under Windows/DOS \fI.htm\fR +is more commonly used. + +So to map \fIhtml\fR to \fIhtm\fR +you would use: + +\fBmangled map = (*.html *.htm)\fR + +One very useful case is to remove the annoying \fI;1 +\fRoff the ends of filenames on some CDROMs (only visible +under some UNIXes). To do this use a map of (*;1 *;). + +Default: \fBno mangled map\fR + +Example: \fBmangled map = (*;1 *;)\fR +.TP +\fBmangled names (S)\fR +This controls whether non-DOS names under UNIX +should be mapped to DOS-compatible names ("mangled") and made visible, +or whether non-DOS names should simply be ignored. + +See the section on NAME MANGLING for details on how to control the mangling process. -.SS max log size (G) +If mangling is used then the mangling algorithm is as follows: +.RS +.TP 0.2i +\(bu +The first (up to) five alphanumeric characters +before the rightmost dot of the filename are preserved, forced +to upper case, and appear as the first (up to) five characters +of the mangled name. +.TP 0.2i +\(bu +A tilde "~" is appended to the first part of the mangled +name, followed by a two-character unique sequence, based on the +original root name (i.e., the original filename minus its final +extension). The final extension is included in the hash calculation +only if it contains any upper case characters or is longer than three +characters. -This option (an integer in kilobytes) specifies the max size the log -file should grow to. Samba periodically checks the size and if it is -exceeded it will rename the file, adding a .old extension. +Note that the character to use may be specified using +the \fImangling char\fR +option, if you don't like '~'. +.TP 0.2i +\(bu +The first three alphanumeric characters of the final +extension are preserved, forced to upper case and appear as the +extension of the mangled name. The final extension is defined as that +part of the original filename after the rightmost dot. If there are no +dots in the filename, the mangled name will have no extension (except +in the case of "hidden files" - see below). +.TP 0.2i +\(bu +Files whose UNIX name begins with a dot will be +presented as DOS hidden files. The mangled name will be created as +for other filenames, but with the leading dot removed and "___" as +its extension regardless of actual original extension (that's three +underscores). +.RE +.PP +The two-digit hash value consists of upper case +alphanumeric characters. +.PP +.PP +This algorithm can cause name collisions only if files +in a directory share the same first five alphanumeric characters. +The probability of such a clash is 1/1300. +.PP +.PP +The name mangling (if enabled) allows a file to be +copied between UNIX directories from Windows/DOS while retaining +the long UNIX filename. UNIX files can be renamed to a new extension +from Windows/DOS and will retain the same basename. Mangled names +do not change between sessions. +.PP +.PP +Default: \fBmangled names = yes\fR +.PP +.TP +\fBmangled stack (G)\fR +This parameter controls the number of mangled names +that should be cached in the Samba server smbd(8). + +This stack is a list of recently mangled base names +(extensions are only maintained if they are longer than 3 characters +or contains upper case characters). + +The larger this value, the more likely it is that mangled +names can be successfully converted to correct long UNIX names. +However, large stack sizes will slow most directory accesses. Smaller +stacks save memory in the server (each stack element costs 256 bytes). + +It is not possible to absolutely guarantee correct long +filenames, so be prepared for some surprises! + +Default: \fBmangled stack = 50\fR + +Example: \fBmangled stack = 100\fR +.TP +\fBmangling char (S)\fR +This controls what character is used as +the \fBmagic\fR character in name mangling. The default is a '~' +but this may interfere with some software. Use this option to set +it to whatever you prefer. + +Default: \fBmangling char = ~\fR + +Example: \fBmangling char = ^\fR +.TP +\fBmap archive (S)\fR +This controls whether the DOS archive attribute +should be mapped to the UNIX owner execute bit. The DOS archive bit +is set when a file has been modified since its last backup. One +motivation for this option it to keep Samba/your PC from making +any file it touches from becoming executable under UNIX. This can +be quite annoying for shared source code, documents, etc... + +Note that this requires the \fIcreate mask\fR +parameter to be set such that owner execute bit is not masked out +(i.e. it must include 100). See the parameter \fIcreate mask\fR for details. + +Default: \fBmap archive = yes\fR +.TP +\fBmap hidden (S)\fR +This controls whether DOS style hidden files +should be mapped to the UNIX world execute bit. + +Note that this requires the \fIcreate mask\fR +to be set such that the world execute bit is not masked out (i.e. +it must include 001). See the parameter \fIcreate mask\fR for details. + +Default: \fBmap hidden = no\fR +.TP +\fBmap system (S)\fR +This controls whether DOS style system files +should be mapped to the UNIX group execute bit. + +Note that this requires the \fIcreate mask\fR +to be set such that the group execute bit is not masked out (i.e. +it must include 010). See the parameter \fIcreate mask\fR for details. + +Default: \fBmap system = no\fR +.TP +\fBmap to guest (G)\fR +This parameter is only useful in security modes other than \fIsecurity = share\fR +- i.e. user, server, +and domain. + +This parameter can take three different values, which tell +smbd(8)what to do with user +login requests that don't match a valid UNIX user in some way. + +The three settings are : +.RS +.TP 0.2i +\(bu +Never - Means user login +requests with an invalid password are rejected. This is the +default. +.TP 0.2i +\(bu +Bad User - Means user +logins with an invalid password are rejected, unless the username +does not exist, in which case it is treated as a guest login and +mapped into the \fI guest account\fR. +.TP 0.2i +\(bu +Bad Password - Means user logins +with an invalid password are treated as a guest login and mapped +into the guest account. Note that +this can cause problems as it means that any user incorrectly typing +their password will be silently logged on as "guest" - and +will not know the reason they cannot access files they think +they should - there will have been no message given to them +that they got their password wrong. Helpdesk services will +\fBhate\fR you if you set the \fImap to +guest\fR parameter this way :-). +.RE +.PP +Note that this parameter is needed to set up "Guest" +share services when using \fIsecurity\fR modes other than +share. This is because in these modes the name of the resource being +requested is \fBnot\fR sent to the server until after +the server has successfully authenticated the client so the server +cannot make authentication decisions at the correct time (connection +to the share) for "Guest" shares. +.PP +.PP +For people familiar with the older Samba releases, this +parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h. +.PP +.PP +Default: \fBmap to guest = Never\fR +.PP +.PP +Example: \fBmap to guest = Bad User\fR +.PP +.TP +\fBmax connections (S)\fR +This option allows the number of simultaneous +connections to a service to be limited. If \fImax connections +\fRis greater than 0 then connections will be refused if +this number of connections to the service are already open. A value +of zero mean an unlimited number of connections may be made. + +Record lock files are used to implement this feature. The +lock files will be stored in the directory specified by the \fIlock directory\fR +option. + +Default: \fBmax connections = 0\fR + +Example: \fBmax connections = 10\fR +.TP +\fBmax disk size (G)\fR +This option allows you to put an upper limit +on the apparent size of disks. If you set this option to 100 +then all shares will appear to be not larger than 100 MB in +size. + +Note that this option does not limit the amount of +data you can put on the disk. In the above case you could still +store much more than 100 MB on the disk, but if a client ever asks +for the amount of free disk space or the total disk size then the +result will be bounded by the amount specified in \fImax +disk size\fR. + +This option is primarily useful to work around bugs +in some pieces of software that can't handle very large disks, +particularly disks over 1GB in size. + +A \fImax disk size\fR of 0 means no limit. + +Default: \fBmax disk size = 0\fR + +Example: \fBmax disk size = 1000\fR +.TP +\fBmax log size (G)\fR +This option (an integer in kilobytes) specifies +the max size the log file should grow to. Samba periodically checks +the size and if it is exceeded it will rename the file, adding +a \fI.old\fR extension. A size of 0 means no limit. -.B Default: - max log size = 5000 - -.B Example: - max log size = 1000 - -.SS max xmit (G) - -This option controls the maximum packet size that will be negotiated -by Samba. The default is 65535, which is the maximum. In some cases -you may find you get better performance with a smaller value. A value -below 2048 is likely to cause problems. - -.B Default: - max xmit = 65535 - -.B Example: - max xmit = 8192 - -.SS mangled stack (G) -This parameter controls the number of mangled names that should be cached in -the Samba server. - -This stack is a list of recently mangled base names (extensions are only -maintained if they are longer than 3 characters or contains upper case -characters). - -The larger this value, the more likely it is that mangled names can be -successfully converted to correct long Unix names. However, large stack -sizes will slow most directory access. Smaller stacks save memory in the -server (each stack element costs 256 bytes). - -It is not possible to absolutely guarantee correct long file names, so -be prepared for some surprises! - -.B Default: - mangled stack = 50 - -.B Example: - mangled stack = 100 - -.SS map archive (S) -This controls whether the DOS archive attribute should be mapped to Unix -execute bits. The DOS archive bit is set when a file has been modified -since its last backup. One motivation for this option it to keep Samba/your -PC from making any file it touches from becoming executable under UNIX. -This can be quite annoying for shared source code, documents, etc... - -.B Default: - map archive = yes - -.B Example: - map archive = no - -.SS map hidden (S) -This controls whether DOS style hidden files should be mapped to Unix -execute bits. - -.B Default: - map hidden = no - -.B Example: - map hidden = yes -.SS map system (S) -This controls whether DOS style system files should be mapped to Unix -execute bits. - -.B Default: - map system = no - -.B Example: - map system = yes -.SS max connections (S) -This option allows the number of simultaneous connections to a -service to be limited. If "max connections" is greater than 0 then -connections will be refused if this number of connections to the -service are already open. A value of zero mean an unlimited number of -connections may be made. - -Record lock files are used to implement this feature. The lock files -will be stored in the directory specified by the "lock directory" option. - -.B Default: - max connections = 0 - -.B Example: - max connections = 10 -.SS only user (S) -This is a boolean option that controls whether connections with -usernames not in the user= list will be allowed. By default this -option is disabled so a client can supply a username to be used by -the server. - -Note that this also means Samba won't try to deduce usernames from the -service name. This can be annoying for the [homes] section. To get -around this you could use "user = %S" which means your "user" list -will be just the service name, which for home directories is the name -of the user. - -.B Default: - only user = False - -.B Example: - only user = True - -.SS message command (G) - -This specifies what command to run when the server receives a WinPopup -style message. - -This would normally be a command that would deliver the message -somehow. How this is to be done is up to your imagination. - -What I use is: - - message command = csh -c 'xedit %s;rm %s' & - -This delivers the message using xedit, then removes it -afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN -IMMEDIATELY. That's why I have the & on the end. If it doesn't return -immediately then your PCs may freeze when sending messages (they -should recover after 30secs, hopefully). - -All messages are delivered as the global guest user. The command takes -the standard substitutions, although %u won't work (%U may be better +Default: \fBmax log size = 5000\fR + +Example: \fBmax log size = 1000\fR +.TP +\fBmax mux (G)\fR +This option controls the maximum number of +outstanding simultaneous SMB operations that Samba tells the client +it will allow. You should never need to set this parameter. + +Default: \fBmax mux = 50\fR +.TP +\fBmax open files (G)\fR +This parameter limits the maximum number of +open files that one smbd(8)file +serving process may have open for a client at any one time. The +default for this parameter is set very high (10,000) as Samba uses +only one bit per unopened file. + +The limit of the number of open files is usually set +by the UNIX per-process file descriptor limit rather than +this parameter so you should never need to touch this parameter. + +Default: \fBmax open files = 10000\fR +.TP +\fBmax print jobs (S)\fR +This parameter limits the maximum number of +jobs allowable in a Samba printer queue at any given moment. +If this number is exceeded, \fB smbd(8)\fRwill remote "Out of Space" to the client. +See all \fItotal +print jobs\fR. + +Default: \fBmax print jobs = 1000\fR + +Example: \fBmax print jobs = 5000\fR +.TP +\fBmax protocol (G)\fR +The value of the parameter (a string) is the highest +protocol level that will be supported by the server. + +Possible values are : +.RS +.TP 0.2i +\(bu +CORE: Earliest version. No +concept of user names. +.TP 0.2i +\(bu +COREPLUS: Slight improvements on +CORE for efficiency. +.TP 0.2i +\(bu +LANMAN1: First \fB modern\fR version of the protocol. Long filename +support. +.TP 0.2i +\(bu +LANMAN2: Updates to Lanman1 protocol. +.TP 0.2i +\(bu +NT1: Current up to date version of +the protocol. Used by Windows NT. Known as CIFS. +.RE +.PP +Normally this option should not be set as the automatic +negotiation phase in the SMB protocol takes care of choosing +the appropriate protocol. +.PP +.PP +See also \fImin +protocol\fR +.PP +.PP +Default: \fBmax protocol = NT1\fR +.PP +.PP +Example: \fBmax protocol = LANMAN1\fR +.PP +.TP +\fBmax smbd processes (G)\fR +This parameter limits the maximum number of +\fBsmbd(8)\fR +processes concurrently running on a system and is intended +as a stopgap to prevent degrading service to clients in the event +that the server has insufficient resources to handle more than this +number of connections. Remember that under normal operating +conditions, each user will have an smbdassociated with him or her +to handle connections to all shares from a given host. + +Default: \fBmax smbd processes = 0\fR ## no limit + +Example: \fBmax smbd processes = 1000\fR +.TP +\fBmax ttl (G)\fR +This option tells nmbd(8) +what the default 'time to live' of NetBIOS names should be (in seconds) +when \fBnmbd\fR is requesting a name using either a +broadcast packet or from a WINS server. You should never need to +change this parameter. The default is 3 days. + +Default: \fBmax ttl = 259200\fR +.TP +\fBmax wins ttl (G)\fR +This option tells nmbd(8) +when acting as a WINS server ( \fIwins support = yes\fR) what the maximum +\&'time to live' of NetBIOS names that \fBnmbd\fR +will grant will be (in seconds). You should never need to change this +parameter. The default is 6 days (518400 seconds). + +See also the \fImin +wins ttl\fR parameter. + +Default: \fBmax wins ttl = 518400\fR +.TP +\fBmax xmit (G)\fR +This option controls the maximum packet size +that will be negotiated by Samba. The default is 65535, which +is the maximum. In some cases you may find you get better performance +with a smaller value. A value below 2048 is likely to cause problems. + +Default: \fBmax xmit = 65535\fR + +Example: \fBmax xmit = 8192\fR +.TP +\fBmessage command (G)\fR +This specifies what command to run when the +server receives a WinPopup style message. + +This would normally be a command that would +deliver the message somehow. How this is to be done is +up to your imagination. + +An example is: + +\fBmessage command = csh -c 'xedit %s;rm %s' &\fR + +This delivers the message using \fBxedit\fR, then +removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT +THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I +have the '&' on the end. If it doesn't return immediately then +your PCs may freeze when sending messages (they should recover +after 30 seconds, hopefully). + +All messages are delivered as the global guest user. +The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better in this case). -Apart from the standard substitutions, some additional ones apply. In -particular: - -%s = the filename containing the message - -%t = the destination that the message was sent to (probably the server -name) - -%f = who the message is from - -You could make this command send mail, or whatever else takes your -fancy. Please let me know of any really interesting ideas you have. - +Apart from the standard substitutions, some additional +ones apply. In particular: +.RS +.TP 0.2i +\(bu +\fI%s\fR = the filename containing +the message. +.TP 0.2i +\(bu +\fI%t\fR = the destination that +the message was sent to (probably the server name). +.TP 0.2i +\(bu +\fI%f\fR = who the message +is from. +.RE +.PP +You could make this command send mail, or whatever else +takes your fancy. Please let us know of any really interesting +ideas you have. +.PP +.PP Here's a way of sending the messages as mail to root: - -message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s - -If you don't have a message command then the message won't be -delivered and Samba will tell the sender there was an -error. Unfortunately WfWg totally ignores the error code and carries -on regardless, saying that the message was delivered. - -If you want to silently delete it then try "message command = rm %s". - -For the really adventurous, try something like this: - -message command = csh -c 'csh < %s |& /usr/local/samba/smbclient \\ - -M %m; rm %s' & - -this would execute the command as a script on the server, then give -them the result in a WinPopup message. Note that this could cause a -loop if you send a message from the server using smbclient! You better -wrap the above in a script that checks for this :-) - -.B Default: - no message command - -.B Example: - message command = csh -c 'xedit %s;rm %s' & - -.SS min print space (S) - -This sets the minimum amount of free disk space that must be available -before a user will be able to spool a print job. It is specified in -kilobytes. The default is 0, which means no limit. - -.B Default: - min print space = 0 - -.B Example: - min print space = 2000 - -.SS null passwords (G) -Allow or disallow access to accounts that have null passwords. - -.B Default: - null passwords = no - -.B Example: - null passwords = yes - -.SS os level (G) -This integer value controls what level Samba advertises itself as for -browse elections. See BROWSING.txt for details. - -.SS packet size (G) -The maximum transmit packet size during a raw read. This option is no -longer implemented as of version 1.7.00, and is kept only so old -configuration files do not become invalid. - -.SS passwd chat (G) -This string coontrols the "chat" conversation that takes places -between smbd and the local password changing program to change the -users password. The string describes a sequence of response-receive -pairs that smbd uses to determine what to send to the passwd program -and what to expect back. If the expected output is not received then -the password is not changed. - -This chat sequence is often quite site specific, deppending on what -local methods are used for password control (such as NIS+ etc). - -The string can contain the macros %o and %n which are substituted for -the old and new passwords respectively. It can aso contain the -standard macros \\n \\r \\t and \\s to give line-feed, carriage-return, -tab and space. - -The string can also contain a * which matches any sequence of -characters. - -Double quotes can be used to collect strings with spaces in them into -a single string. - -If the send string in any part of the chat sequence is a fullstop "." -then no string is sent. Similarly, is the expect string is a fullstop -then no string is expected. - -.B Example: - passwd chat = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n \\ - "*Reenter NEW password*" %n\\n "*Password changed*" - -.B Default: - passwd chat = *old*password* %o\\n *new*password* %n\\n *new*password* %n\\n *changed* - -.SS passwd program (G) -The name of a program that can be used to set user passwords. - -This is only necessary if you have enabled remote password changing at -compile time. Any occurances of %u will be replaced with the user -name. - -Also note that many passwd programs insist in "reasonable" passwords, -such as a minimum length, or the inclusion of mixed case chars and -digits. This can pose a problem as some clients (such as Windows for -Workgroups) uppercase the password before sending it. - -.B Default: - passwd program = /bin/passwd - -.B Example: - passwd program = /sbin/passwd %u - -.SS password level (G) -Some client/server conbinations have difficulty with mixed-case passwords. -One offending client is Windows for Workgroups, which for some reason forces -passwords to upper case when using the LANMAN1 protocol, but leaves them alone -when using COREPLUS! - -This parameter defines the maximum number of characters that may be upper case -in passwords. - -For example, say the password given was "FRED". If -.B password level -is set to 1 (one), the following combinations would be tried if "FRED" failed: -"Fred", "fred", "fRed", "frEd", "freD". If -.B password level was set to 2 (two), the following combinations would also be -tried: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED". And so on. - -The higher value this parameter is set to the more likely it is that a mixed -case password will be matched against a single case password. However, you -should be aware that use of this parameter reduces security and increases the -time taken to process a new connection. - -A value of zero will cause only two attempts to be made - the password as is -and the password in all-lower case. - -If you find the connections are taking too long with this option then -you probably have a slow crypt() routine. Samba now comes with a fast -"ufc crypt" that you can select in the Makefile. You should also make -sure the PASSWORD_LENGTH option is correct for your system in local.h -and includes.h. On most systems only the first 8 chars of a password -are significant so PASSWORD_LENGTH should be 8, but on some longer -passwords are significant. The inlcudes.h file tries to select the -right length for your system. - -.B Default: - password level = 0 - -.B Example: - password level = 4 - -.SS password server (G) - -By specifying the name of another SMB server (such as a WinNT box) -with this option, and using "security = server" you can get Samba to -do all it's username/password validation via a remote server. - -This options sets the name of the password server to use. It must be a -netbios name, so if the machines netbios name is different from it's -internet name then you may have to add it's netbios name to -/etc/hosts. - -The password server much be a machine capable of using the "LM1.2X002" -or the "LM NT 0.12" protocol, and it must be in user level security -mode. - -NOTE: Using a password server means your unix box (running Samba) is -only as secure as your password server. DO NOT CHOOSE A PASSWORD -SERVER THAT YOU DON'T COMPLETELY TRUST. - -Never point a Samba server at itself for password serving. This will -cause a loop and could lock up your Samba server! - -The name of the password server takes the standard substitutions, but -probably the only useful one is %m, which means the Samba server will -use the incoming client as the password server. If you use this then -you better trust your clients, and you better restrict them with hosts -allow! - -If you list several hosts in the "password server" option then smbd -will try each in turn till it finds one that responds. This is useful -in case your primary server goes down. - -.SS path (S) -A synonym for this parameter is 'directory'. - -This parameter specifies a directory to which the user of the service is to -be given access. In the case of printable services, this is where print data -will spool prior to being submitted to the host for printing. - -For a printable service offering guest access, the service should be readonly -and the path should be world-writable and have the sticky bit set. This is not -mandatory of course, but you probably won't get the results you expect if you -do otherwise. - -Any occurances of %u in the path will be replaced with the username -that the client is connecting as. Any occurances of %m will be -replaced by the name of the machine they are connecting from. These -replacements are very useful for setting up pseudo home directories -for users. - -Note that this path will be based on 'root dir' if one was specified. -.B Default: - none - -.B Example: - path = /home/fred+ - -.SS postexec (S) - -This option specifies a command to be run whenever the service is -disconnected. It takes the usual substitutions. The command may be run -as the root on some systems. - -An interesting example may be do unmount server resources: - -postexec = /etc/umount /cdrom - -See also preexec - -.B Default: - none (no command executed) - -.B Example: - postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log - -.SS postscript (S) -This parameter forces a printer to interpret the print files as -postscript. This is done by adding a %! to the start of print output. - -This is most useful when you have lots of PCs that persist in putting -a control-D at the start of print jobs, which then confuses your -printer. - -.B Default: - postscript = False - -.B Example: - postscript = True - -.SS preexec (S) - -This option specifies a command to be run whenever the service is -connected to. It takes the usual substitutions. - -An interesting example is to send the users a welcome message every -time they log in. Maybe a message of the day? Here is an example: - -preexec = csh -c 'echo \"Welcome to %S!\" | \ - /usr/local/samba/smbclient -M %m -I %I' & +.PP +.PP +\fBmessage command = /bin/mail -s 'message from %f on +%m' root < %s; rm %s\fR +.PP +.PP +If you don't have a message command then the message +won't be delivered and Samba will tell the sender there was +an error. Unfortunately WfWg totally ignores the error code +and carries on regardless, saying that the message was delivered. +.PP +.PP +If you want to silently delete it then try: +.PP +.PP +\fBmessage command = rm %s\fR +.PP +.PP +Default: \fBno message command\fR +.PP +.PP +Example: \fBmessage command = csh -c 'xedit %s; +rm %s' &\fR +.PP +.TP +\fBmin passwd length (G)\fR +Synonym for \fImin password length\fR. +.TP +\fBmin password length (G)\fR +This option sets the minimum length in characters +of a plaintext password that \fBsmbd\fR will accept when performing +UNIX password changing. + +See also \fIunix +password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR +\&. + +Default: \fBmin password length = 5\fR +.TP +\fBmin print space (S)\fR +This sets the minimum amount of free disk +space that must be available before a user will be able to spool +a print job. It is specified in kilobytes. The default is 0, which +means a user can always spool a print job. + +See also the \fIprinting +\fRparameter. + +Default: \fBmin print space = 0\fR + +Example: \fBmin print space = 2000\fR +.TP +\fBmin protocol (G)\fR +The value of the parameter (a string) is the +lowest SMB protocol dialect than Samba will support. Please refer +to the \fImax protocol\fR +parameter for a list of valid protocol names and a brief description +of each. You may also wish to refer to the C source code in +\fIsource/smbd/negprot.c\fR for a listing of known protocol +dialects supported by clients. + +If you are viewing this parameter as a security measure, you should +also refer to the \fIlanman +auth\fR parameter. Otherwise, you should never need +to change this parameter. + +Default : \fBmin protocol = CORE\fR + +Example : \fBmin protocol = NT1\fR # disable DOS +clients +.TP +\fBmin wins ttl (G)\fR +This option tells nmbd(8) +when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live' +of NetBIOS names that \fBnmbd\fR will grant will be (in +seconds). You should never need to change this parameter. The default +is 6 hours (21600 seconds). + +Default: \fBmin wins ttl = 21600\fR +.TP +\fBmsdfs root (S)\fR +This boolean parameter is only available if +Samba is configured and compiled with the \fB --with-msdfs\fR option. If set to yes, +Samba treats the share as a Dfs root and allows clients to browse +the distributed file system tree rooted at the share directory. +Dfs links are specified in the share directory by symbolic +links of the form \fImsdfs:serverA\\shareA,serverB\\shareB +\fRand so on. For more information on setting up a Dfs tree +on Samba, refer to msdfs_setup.html +. + +See also \fIhost msdfs +\fR +Default: \fBmsdfs root = no\fR +.TP +\fBname resolve order (G)\fR +This option is used by the programs in the Samba +suite to determine what naming services to use and in what order +to resolve host names to IP addresses. The option takes a space +separated string of name resolution options. + +The options are :"lmhosts", "host", "wins" and "bcast". They +cause names to be resolved as follows : +.RS +.TP 0.2i +\(bu +lmhosts : Lookup an IP +address in the Samba lmhosts file. If the line in lmhosts has +no name type attached to the NetBIOS name (see the lmhosts(5)for details) then +any name type matches for lookup. +.TP 0.2i +\(bu +host : Do a standard host +name to IP address resolution, using the system \fI/etc/hosts +\fR, NIS, or DNS lookups. This method of name resolution +is operating system depended for instance on IRIX or Solaris this +may be controlled by the \fI/etc/nsswitch.conf\fR +file. Note that this method is only used if the NetBIOS name +type being queried is the 0x20 (server) name type, otherwise +it is ignored. +.TP 0.2i +\(bu +wins : Query a name with +the IP address listed in the \fI wins server\fR parameter. If no WINS server has +been specified this method will be ignored. +.TP 0.2i +\(bu +bcast : Do a broadcast on +each of the known local interfaces listed in the \fIinterfaces\fR +parameter. This is the least reliable of the name resolution +methods as it depends on the target host being on a locally +connected subnet. +.RE +.PP +Default: \fBname resolve order = lmhosts host wins bcast +\fR.PP +.PP +Example: \fBname resolve order = lmhosts bcast host +\fR.PP +.PP +This will cause the local lmhosts file to be examined +first, followed by a broadcast attempt, followed by a normal +system hostname lookup. +.PP +.TP +\fBnetbios aliases (G)\fR +This is a list of NetBIOS names that nmbd(8)will advertise as additional +names by which the Samba server is known. This allows one machine +to appear in browse lists under multiple names. If a machine is +acting as a browse server or logon server none +of these names will be advertised as either browse server or logon +servers, only the primary name of the machine will be advertised +with these capabilities. + +See also \fInetbios +name\fR. + +Default: \fBempty string (no additional names)\fR + +Example: \fBnetbios aliases = TEST TEST1 TEST2\fR +.TP +\fBnetbios name (G)\fR +This sets the NetBIOS name by which a Samba +server is known. By default it is the same as the first component +of the host's DNS name. If a machine is a browse server or +logon server this name (or the first component +of the hosts DNS name) will be the name that these services are +advertised under. + +See also \fInetbios +aliases\fR. + +Default: \fBmachine DNS name\fR + +Example: \fBnetbios name = MYNAME\fR +.TP +\fBnetbios scope (G)\fR +This sets the NetBIOS scope that Samba will +operate under. This should not be set unless every machine +on your LAN also sets this value. +.TP +\fBnis homedir (G)\fR +Get the home share server from a NIS map. For +UNIX systems that use an automounter, the user's home directory +will often be mounted on a workstation on demand from a remote +server. + +When the Samba logon server is not the actual home directory +server, but is mounting the home directories via NFS then two +network hops would be required to access the users home directory +if the logon server told the client to use itself as the SMB server +for home directories (one over SMB and one over NFS). This can +be very slow. + +This option allows Samba to return the home share as +being on a different server to the logon server and as +long as a Samba daemon is running on the home directory server, +it will be mounted on the Samba client directly from the directory +server. When Samba is returning the home share to the client, it +will consult the NIS map specified in \fIhomedir map\fR and return the server +listed there. + +Note that for this option to work there must be a working +NIS system and the Samba server with this option must also +be a logon server. + +Default: \fBnis homedir = no\fR +.TP +\fBnon unix account range (G)\fR +The non unix account range parameter specifies +the range of 'user ids' that are allocated by the various 'non unix +account' passdb backends. These backends allow +the storage of passwords for users who don't exist in /etc/passwd. +This is most often used for machine account creation. +This range of ids should have no existing local or NIS users within +it as strange conflicts can occur otherwise. + +NOTE: These userids never appear on the system and Samba will never +\&'become' these users. They are used only to ensure that the algorithmic +RID mapping does not conflict with normal users. + +Default: \fBnon unix account range = <empty string> +\fR +Example: \fBnon unix account range = 10000-20000\fR +.TP +\fBnt acl support (S)\fR +This boolean parameter controls whether +smbd(8)will attempt to map +UNIX permissions into Windows NT access control lists. +This parameter was formally a global parameter in releases +prior to 2.2.2. + +Default: \fBnt acl support = yes\fR +.TP +\fBnt pipe support (G)\fR +This boolean parameter controls whether +smbd(8)will allow Windows NT +clients to connect to the NT SMB specific IPC$ +pipes. This is a developer debugging option and can be left +alone. + +Default: \fBnt pipe support = yes\fR +.TP +\fBnull passwords (G)\fR +Allow or disallow client access to accounts +that have null passwords. + +See also smbpasswd (5). + +Default: \fBnull passwords = no\fR +.TP +\fBobey pam restrictions (G)\fR +When Samba 2.2 is configured to enable PAM support +(i.e. --with-pam), this parameter will control whether or not Samba +should obey PAM's account and session management directives. The +default behavior is to use PAM for clear text authentication only +and to ignore any account or session management. Note that Samba +always ignores PAM for authentication in the case of \fIencrypt passwords = yes\fR +\&. The reason is that PAM modules cannot support the challenge/response +authentication mechanism needed in the presence of SMB password encryption. + +Default: \fBobey pam restrictions = no\fR +.TP +\fBonly user (S)\fR +This is a boolean option that controls whether +connections with usernames not in the \fIuser\fR +list will be allowed. By default this option is disabled so that a +client can supply a username to be used by the server. Enabling +this parameter will force the server to only user the login +names from the \fIuser\fR list and is only really +useful in shave level +security. + +Note that this also means Samba won't try to deduce +usernames from the service name. This can be annoying for +the [homes] section. To get around this you could use \fBuser = +%S\fR which means your \fIuser\fR list +will be just the service name, which for home directories is the +name of the user. + +See also the \fIuser\fR +parameter. + +Default: \fBonly user = no\fR +.TP +\fBonly guest (S)\fR +A synonym for \fI guest only\fR. +.TP +\fBoplock break wait time (G)\fR +This is a tuning parameter added due to bugs in +both Windows 9x and WinNT. If Samba responds to a client too +quickly when that client issues an SMB that can cause an oplock +break request, then the network client can fail and not respond +to the break request. This tuning parameter (which is set in milliseconds) +is the amount of time Samba will wait before sending an oplock break +request to such (broken) clients. + +\fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ +AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR. + +Default: \fBoplock break wait time = 0\fR +.TP +\fBoplock contention limit (S)\fR +This is a \fBvery\fR advanced +smbd(8)tuning option to +improve the efficiency of the granting of oplocks under multiple +client contention for the same file. + +In brief it specifies a number, which causes smbdnot to +grant an oplock even when requested if the approximate number of +clients contending for an oplock on the same file goes over this +limit. This causes \fBsmbd\fR to behave in a similar +way to Windows NT. + +\fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ +AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR. + +Default: \fBoplock contention limit = 2\fR +.TP +\fBoplocks (S)\fR +This boolean option tells \fBsmbd\fR whether to +issue oplocks (opportunistic locks) to file open requests on this +share. The oplock code can dramatically (approx. 30% or more) improve +the speed of access to files on Samba servers. It allows the clients +to aggressively cache files locally and you may want to disable this +option for unreliable network environments (it is turned on by +default in Windows NT Servers). For more information see the file +\fISpeed.txt\fR in the Samba \fIdocs/\fR +directory. + +Oplocks may be selectively turned off on certain files with a +share. See the \fI veto oplock files\fR parameter. On some systems +oplocks are recognized by the underlying operating system. This +allows data synchronization between all access to oplocked files, +whether it be via Samba or NFS or a local UNIX process. See the +\fIkernel oplocks\fR parameter for details. + +See also the \fIkernel +oplocks\fR and \fI level2 oplocks\fR parameters. + +Default: \fBoplocks = yes\fR +.TP +\fBos level (G)\fR +This integer value controls what level Samba +advertises itself as for browse elections. The value of this +parameter determines whether nmbd(8) +has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area. + +\fBNote :\fRBy default, Samba will win +a local master browsing election over all Microsoft operating +systems except a Windows NT 4.0/2000 Domain Controller. This +means that a misconfigured Samba host can effectively isolate +a subnet for browsing purposes. See \fIBROWSING.txt +\fRin the Samba \fIdocs/\fR directory +for details. + +Default: \fBos level = 20\fR + +Example: \fBos level = 65 \fR +.TP +\fBos2 driver map (G)\fR +The parameter is used to define the absolute +path to a file containing a mapping of Windows NT printer driver +names to OS/2 printer driver names. The format is: + +<nt driver name> = <os2 driver +name>.<device name> + +For example, a valid entry using the HP LaserJet 5 +printer driver would appear as \fBHP LaserJet 5L = LASERJET.HP +LaserJet 5L\fR. + +The need for the file is due to the printer driver namespace +problem described in the Samba +Printing HOWTO. For more details on OS/2 clients, please +refer to the OS2-Client-HOWTO +containing in the Samba documentation. + +Default: \fBos2 driver map = <empty string> +\fR.TP +\fBpam password change (G)\fR +With the addition of better PAM support in Samba 2.2, +this parameter, it is possible to use PAM's password change control +flag for Samba. If enabled, then PAM will be used for password +changes when requested by an SMB client instead of the program listed in +\fIpasswd program\fR. +It should be possible to enable this without changing your +\fIpasswd chat\fR +parameter for most setups. + +Default: \fBpam password change = no\fR +.TP +\fBpanic action (G)\fR +This is a Samba developer option that allows a +system command to be called when either smbd(8) +crashes. This is usually used to draw attention to the fact that +a problem occurred. + +Default: \fBpanic action = <empty string>\fR + +Example: \fBpanic action = "/bin/sleep 90000"\fR +.TP +\fBpassdb backend (G)\fR +This option allows the administrator to chose what +backend in which to store passwords. This allows (for example) both +smbpasswd and tdbsam to be used without a recompile. Only one can +be used at a time however, and experimental backends must still be selected +(eg --with-tdbsam) at configure time. + +This paramater is in two parts, the backend's name, and a 'location' +string that has meaning only to that particular backed. These are separated +by a : character. + +Available backends can include: +.RS +.TP 0.2i +\(bu +\fBsmbpasswd\fR - The default smbpasswd +backend. Takes a path to the smbpasswd file as an optional argument. +.TP 0.2i +\(bu +\fBsmbpasswd_nua\fR - The smbpasswd +backend, but with support for 'not unix accounts'. +Takes a path to the smbpasswd file as an optional argument. + +See also \fInon unix account range\fR +.TP 0.2i +\(bu +\fBtdbsam\fR - The TDB based password storage +backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb +in the \fIprivate dir\fR directory. +.TP 0.2i +\(bu +\fBtdbsam_nua\fR - The TDB based password storage +backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb +in the \fIprivate dir\fR directory. + +See also \fInon unix account range\fR +.TP 0.2i +\(bu +\fBldapsam\fR - The LDAP based passdb +backend. Takes an LDAP URL as an optional argument (defaults to +\fBldap://localhost\fR) +.TP 0.2i +\(bu +\fBldapsam_nua\fR - The LDAP based passdb +backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to +\fBldap://localhost\fR) + +See also \fInon unix account range\fR +.TP 0.2i +\(bu +\fBplugin\fR - Allows Samba to load an +arbitary passdb backend from the .so specified as a compulsary argument. + +Any characters after the (optional) second : are passed to the plugin +for its own processing +.RE +.PP + +Default: \fBpassdb backend = smbpasswd\fR + +Example: \fBpassdb backend = tdbsam:/etc/samba/private/passdb.tdb\fR + +Example: \fBpassdb backend = ldapsam_nua:ldaps://ldap.example.com\fR + +Example: \fBpassdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args\fR +.TP +\fBpasswd chat (G)\fR +This string controls the \fB"chat"\fR +conversation that takes places between smbdand the local password changing +program to change the user's password. The string describes a +sequence of response-receive pairs that smbd(8)uses to determine what to send to the +\fIpasswd program\fR +and what to expect back. If the expected output is not +received then the password is not changed. + +This chat sequence is often quite site specific, depending +on what local methods are used for password control (such as NIS +etc). + +Note that this parameter only is only used if the \fIunix +password sync\fR parameter is set to yes. This +sequence is then called \fBAS ROOT\fR when the SMB password +in the smbpasswd file is being changed, without access to the old +password cleartext. This means that root must be able to reset the user's password +without knowing the text of the previous password. In the presence of NIS/YP, +this means that the passwd program must be +executed on the NIS master. + +The string can contain the macro \fI%n\fR which is substituted +for the new password. The chat sequence can also contain the standard +macros \\n, \\r, \\t and \\s to give line-feed, +carriage-return, tab and space. The chat sequence string can also contain +a '*' which matches any sequence of characters. +Double quotes can be used to collect strings with spaces +in them into a single string. + +If the send string in any part of the chat sequence +is a full stop ".", then no string is sent. Similarly, +if the expect string is a full stop then no string is expected. + +If the \fIpam +password change\fR parameter is set to true, the chat pairs +may be matched in any order, and success is determined by the PAM result, +not any particular output. The \\n macro is ignored for PAM conversions. + +See also \fIunix password +sync\fR, \fI passwd program\fR , \fIpasswd chat debug\fR and \fIpam password change\fR. + +Default: \fBpasswd chat = *new*password* %n\\n +*new*password* %n\\n *changed*\fR + +Example: \fBpasswd chat = "*Enter OLD password*" %o\\n +"*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password +changed*"\fR +.TP +\fBpasswd chat debug (G)\fR +This boolean specifies if the passwd chat script +parameter is run in \fBdebug\fR mode. In this mode the +strings passed to and received from the passwd chat are printed +in the smbd(8)log with a +\fIdebug level\fR +of 100. This is a dangerous option as it will allow plaintext passwords +to be seen in the \fBsmbd\fR log. It is available to help +Samba admins debug their \fIpasswd chat\fR scripts +when calling the \fIpasswd program\fR and should +be turned off after this has been done. This option has no effect if the +\fIpam password change\fR +paramter is set. This parameter is off by default. + +See also \fIpasswd chat\fR +, \fIpam password change\fR +, \fIpasswd program\fR +\&. + +Default: \fBpasswd chat debug = no\fR +.TP +\fBpasswd program (G)\fR +The name of a program that can be used to set +UNIX user passwords. Any occurrences of \fI%u\fR +will be replaced with the user name. The user name is checked for +existence before calling the password changing program. + +Also note that many passwd programs insist in \fBreasonable +\fRpasswords, such as a minimum length, or the inclusion +of mixed case chars and digits. This can pose a problem as some clients +(such as Windows for Workgroups) uppercase the password before sending +it. + +\fBNote\fR that if the \fIunix +password sync\fR parameter is set to true +then this program is called \fBAS ROOT\fR +before the SMB password in the smbpasswd(5) +file is changed. If this UNIX password change fails, then +\fBsmbd\fR will fail to change the SMB password also +(this is by design). + +If the \fIunix password sync\fR parameter +is set this parameter \fBMUST USE ABSOLUTE PATHS\fR +for \fBALL\fR programs called, and must be examined +for security implications. Note that by default \fIunix +password sync\fR is set to false. + +See also \fIunix +password sync\fR. + +Default: \fBpasswd program = /bin/passwd\fR + +Example: \fBpasswd program = /sbin/npasswd %u\fR +.TP +\fBpassword level (G)\fR +Some client/server combinations have difficulty +with mixed-case passwords. One offending client is Windows for +Workgroups, which for some reason forces passwords to upper +case when using the LANMAN1 protocol, but leaves them alone when +using COREPLUS! Another problem child is the Windows 95/98 +family of operating systems. These clients upper case clear +text passwords even when NT LM 0.12 selected by the protocol +negotiation request/response. + +This parameter defines the maximum number of characters +that may be upper case in passwords. + +For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations +would be tried if "FRED" failed: + +"Fred", "fred", "fRed", "frEd","freD" + +If \fIpassword level\fR was set to 2, +the following combinations would also be tried: + +"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. + +And so on. + +The higher value this parameter is set to the more likely +it is that a mixed case password will be matched against a single +case password. However, you should be aware that use of this +parameter reduces security and increases the time taken to +process a new connection. + +A value of zero will cause only two attempts to be +made - the password as is and the password in all-lower case. + +Default: \fBpassword level = 0\fR + +Example: \fBpassword level = 4\fR +.TP +\fBpassword server (G)\fR +By specifying the name of another SMB server (such +as a WinNT box) with this option, and using \fBsecurity = domain +\fRor \fBsecurity = server\fR you can get Samba +to do all its username/password validation via a remote server. + +This option sets the name of the password server to use. +It must be a NetBIOS name, so if the machine's NetBIOS name is +different from its Internet name then you may have to add its NetBIOS +name to the lmhosts file which is stored in the same directory +as the \fIsmb.conf\fR file. + +The name of the password server is looked up using the +parameter \fIname +resolve order\fR and so may resolved +by any method and order described in that parameter. + +The password server much be a machine capable of using +the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in +user level security mode. + +\fBNOTE:\fR Using a password server +means your UNIX box (running Samba) is only as secure as your +password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT +YOU DON'T COMPLETELY TRUST\fR. + +Never point a Samba server at itself for password +serving. This will cause a loop and could lock up your Samba +server! + +The name of the password server takes the standard +substitutions, but probably the only useful one is \fI%m +\fR, which means the Samba server will use the incoming +client as the password server. If you use this then you better +trust your clients, and you had better restrict them with hosts allow! + +If the \fIsecurity\fR parameter is set to +domain, then the list of machines in this +option must be a list of Primary or Backup Domain controllers for the +Domain or the character '*', as the Samba server is effectively +in that domain, and will use cryptographically authenticated RPC calls +to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the +\fIpassword server\fR option then \fBsmbd +\fRwill try each in turn till it finds one that responds. This +is useful in case your primary server goes down. + +If the \fIpassword server\fR option is set +to the character '*', then Samba will attempt to auto-locate the +Primary or Backup Domain controllers to authenticate against by +doing a query for the name WORKGROUP<1C> +and then contacting each server returned in the list of IP +addresses from the name resolution source. + +If the \fIsecurity\fR parameter is +set to server, then there are different +restrictions that \fBsecurity = domain\fR doesn't +suffer from: +.RS +.TP 0.2i +\(bu +You may list several password servers in +the \fIpassword server\fR parameter, however if an +\fBsmbd\fR makes a connection to a password server, +and then the password server fails, no more users will be able +to be authenticated from this \fBsmbd\fR. This is a +restriction of the SMB/CIFS protocol when in \fBsecurity = server +\fRmode and cannot be fixed in Samba. +.TP 0.2i +\(bu +If you are using a Windows NT server as your +password server then you will have to ensure that your users +are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to +come from there rather than from the users workstation. +.RE +.PP +See also the \fIsecurity +\fRparameter. +.PP +.PP +Default: \fBpassword server = <empty string>\fR +.PP +.PP +Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2 +\fR.PP +.PP +Example: \fBpassword server = *\fR +.PP +.TP +\fBpath (S)\fR +This parameter specifies a directory to which +the user of the service is to be given access. In the case of +printable services, this is where print data will spool prior to +being submitted to the host for printing. + +For a printable service offering guest access, the service +should be readonly and the path should be world-writeable and +have the sticky bit set. This is not mandatory of course, but +you probably won't get the results you expect if you do +otherwise. + +Any occurrences of \fI%u\fR in the path +will be replaced with the UNIX username that the client is using +on this connection. Any occurrences of \fI%m\fR +will be replaced by the NetBIOS name of the machine they are +connecting from. These replacements are very useful for setting +up pseudo home directories for users. + +Note that this path will be based on \fIroot dir\fR if one was specified. + +Default: \fBnone\fR + +Example: \fBpath = /home/fred\fR +.TP +\fBposix locking (S)\fR +The \fBsmbd(8)\fR +daemon maintains an database of file locks obtained by SMB clients. +The default behavior is to map this internal database to POSIX +locks. This means that file locks obtained by SMB clients are +consistent with those seen by POSIX compliant applications accessing +the files via a non-SMB method (e.g. NFS or local file access). +You should never need to disable this parameter. + +Default: \fBposix locking = yes\fR +.TP +\fBpostexec (S)\fR +This option specifies a command to be run +whenever the service is disconnected. It takes the usual +substitutions. The command may be run as the root on some +systems. + +An interesting example may be to unmount server +resources: + +\fBpostexec = /etc/umount /cdrom\fR + +See also \fIpreexec\fR +\&. + +Default: \fBnone (no command executed)\fR + +Example: \fBpostexec = echo \\"%u disconnected from %S +from %m (%I)\\" >> /tmp/log\fR +.TP +\fBpostscript (S)\fR +This parameter forces a printer to interpret +the print files as PostScript. This is done by adding a %! +to the start of print output. + +This is most useful when you have lots of PCs that persist +in putting a control-D at the start of print jobs, which then +confuses your printer. + +Default: \fBpostscript = no\fR +.TP +\fBpreexec (S)\fR +This option specifies a command to be run whenever +the service is connected to. It takes the usual substitutions. + +An interesting example is to send the users a welcome +message every time they log in. Maybe a message of the day? Here +is an example: + +\fBpreexec = csh -c 'echo \\"Welcome to %S!\\" | +/usr/local/samba/bin/smbclient -M %m -I %I' & \fR Of course, this could get annoying after a while :-) -See also postexec - -.B Default: - none (no command executed) - -.B Example: - preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log - -.SS preferred master (G) -This boolean parameter controls if Samba is a preferred master browser -for its workgroup. Setting this gives it a slight edge in elections -and also means it will automatically start an election when it starts -up. - -It is on by default. - -.SS preload -This is an alias for "auto services" - -.SS preserve case (S) - -This controls if new filenames are created with the case that the -client passes, or if they are forced to be the "default" case. - -.B Default: - preserve case = no - -See the section on "NAME MANGLING" for a fuller discussion. - -.SS print command (S) -After a print job has finished spooling to a service, this command will be -used via a system() call to process the spool file. Typically the command -specified will submit the spool file to the host's printing subsystem, but -there is no requirement that this be the case. The server will not remove the -spool file, so whatever command you specify should remove the spool file when -it has been processed, otherwise you will need to manually remove old spool -files. - -The print command is simply a text string. It will be used verbatim, -with two exceptions: All occurrences of "%s" will be replaced by the -appropriate spool file name, and all occurrences of "%p" will be -replaced by the appropriate printer name. The spool file name is -generated automatically by the server, the printer name is discussed -below. - -The full path name will be used for the filename if %s is not preceded -by a /. If you don't like this (it can stuff up some lpq output) then -use %f instead. Any occurances of %f get replaced by the spool -filename without the full path at the front. - -The print command MUST contain at least one occurrence of "%s" or %f - -the "%p" is optional. At the time a job is submitted, if no printer -name is supplied the "%p" will be silently removed from the printer -command. - -If specified in the [global] section, the print command given will be used -for any printable service that does not have its own print command specified. - -If there is neither a specified print command for a printable service nor a -global print command, spool files will be created but not processed and (most -importantly) not removed. - -Note that printing may fail on some unixes from the "nobody" -account. If this happens then create an alternative guest account that -can print and set the "guest account" in the [global] section. - -You can form quite complex print commands by realising that they are -just passed to a shell. For example the following will log a print -job, print the file, then remove it. Note that ; is the usual -separator for command in shell scripts. - -print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s - -You may have to vary this command considerably depending on how you -normally print files on your system. - -.B Default: - print command = lpr -r -P %p %s - -.B Example: - print command = /usr/local/samba/myprintscript %p %s -.SS print ok (S) -See -.B printable. -.SS printable (S) -A synonym for this parameter is 'print ok'. - -If this parameter is 'yes', then clients may open, write to and submit spool -files on the directory specified for the service. - -Note that a printable service will ALWAYS allow writing to the service path -(user privileges permitting) via the spooling of print data. The 'read only' -parameter controls only non-printing access to the resource. - -.B Default: - printable = no - -.B Example: - printable = yes - -.SS printing (G) -This parameters controls how printer status information is interpreted -on your system, and also affects the default values for the "print -command", "lpq command" and "lprm command". - -Currently three printing styles are supported. They are "printing = -bsd", "printing = sysv", "printing = hpux" and "printing = aix". - -To see what the defaults are for the other print commands when using -these three options use the "testparm" program. - - -.SS printcap name (G) -This parameter may be used to override the compiled-in default printcap -name used by the server (usually /etc/printcap). See the discussion of the -[printers] section above for reasons why you might want to do this. - -For those of you without a printcap (say on SysV) you can just create a -minimal file that looks like a printcap and set "printcap name =" in -[global] to point at it. +See also \fIpreexec close +\fRand \fIpostexec +\fR\&. + +Default: \fBnone (no command executed)\fR + +Example: \fBpreexec = echo \\"%u connected to %S from %m +(%I)\\" >> /tmp/log\fR +.TP +\fBpreexec close (S)\fR +This boolean option controls whether a non-zero +return code from \fIpreexec +\fRshould close the service being connected to. + +Default: \fBpreexec close = no\fR +.TP +\fBpreferred master (G)\fR +This boolean parameter controls if nmbd(8)is a preferred master browser +for its workgroup. + +If this is set to true, on startup, \fBnmbd\fR +will force an election, and it will have a slight advantage in +winning the election. It is recommended that this parameter is +used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master. + +Use this option with caution, because if there are several +hosts (whether Samba servers, Windows 95 or NT) that are preferred +master browsers on the same subnet, they will each periodically +and continuously attempt to become the local master browser. +This will result in unnecessary broadcast traffic and reduced browsing +capabilities. + +See also \fIos level\fR +\&. + +Default: \fBpreferred master = auto\fR +.TP +\fBprefered master (G)\fR +Synonym for \fI preferred master\fR for people who cannot spell :-). +.TP +\fBpreload\fR +This is a list of services that you want to be +automatically added to the browse lists. This is most useful +for homes and printers services that would otherwise not be +visible. + +Note that if you just want all printers in your +printcap file loaded then the \fIload printers\fR option is easier. + +Default: \fBno preloaded services\fR + +Example: \fBpreload = fred lp colorlp\fR +.TP +\fBpreserve case (S)\fR +This controls if new filenames are created +with the case that the client passes, or if they are forced to +be the \fIdefault case +\fR\&. + +Default: \fBpreserve case = yes\fR + +See the section on NAME +MANGLING for a fuller discussion. +.TP +\fBprint command (S)\fR +After a print job has finished spooling to +a service, this command will be used via a \fBsystem()\fR +call to process the spool file. Typically the command specified will +submit the spool file to the host's printing subsystem, but there +is no requirement that this be the case. The server will not remove +the spool file, so whatever command you specify should remove the +spool file when it has been processed, otherwise you will need to +manually remove old spool files. + +The print command is simply a text string. It will be used +verbatim, with two exceptions: All occurrences of \fI%s +\fRand \fI%f\fR will be replaced by the +appropriate spool file name, and all occurrences of \fI%p +\fRwill be replaced by the appropriate printer name. The +spool file name is generated automatically by the server. The +\fI%J\fR macro can be used to access the job +name as transmitted by the client. + +The print command \fBMUST\fR contain at least +one occurrence of \fI%s\fR or \fI%f +\fR- the \fI%p\fR is optional. At the time +a job is submitted, if no printer name is supplied the \fI%p +\fRwill be silently removed from the printer command. + +If specified in the [global] section, the print command given +will be used for any printable service that does not have its own +print command specified. + +If there is neither a specified print command for a +printable service nor a global print command, spool files will +be created but not processed and (most importantly) not removed. + +Note that printing may fail on some UNIXes from the +nobody account. If this happens then create +an alternative guest account that can print and set the \fIguest account\fR +in the [global] section. + +You can form quite complex print commands by realizing +that they are just passed to a shell. For example the following +will log a print job, print the file, then remove it. Note that +\&';' is the usual separator for command in shell scripts. + +\fBprint command = echo Printing %s >> +/tmp/print.log; lpr -P %p %s; rm %s\fR + +You may have to vary this command considerably depending +on how you normally print files on your system. The default for +the parameter varies depending on the setting of the \fIprinting\fR parameter. + +Default: For \fBprinting = BSD, AIX, QNX, LPRNG +or PLP :\fR + +\fBprint command = lpr -r -P%p %s\fR + +For \fBprinting = SYSV or HPUX :\fR + +\fBprint command = lp -c -d%p %s; rm %s\fR + +For \fBprinting = SOFTQ :\fR + +\fBprint command = lp -d%p -s %s; rm %s\fR + +Example: \fBprint command = /usr/local/samba/bin/myprintscript +%p %s\fR +.TP +\fBprint ok (S)\fR +Synonym for \fIprintable\fR. +.TP +\fBprintable (S)\fR +If this parameter is yes, then +clients may open, write to and submit spool files on the directory +specified for the service. + +Note that a printable service will ALWAYS allow writing +to the service path (user privileges permitting) via the spooling +of print data. The \fIwriteable +\fRparameter controls only non-printing access to +the resource. + +Default: \fBprintable = no\fR +.TP +\fBprintcap (G)\fR +Synonym for \fI printcap name\fR. +.TP +\fBprintcap name (G)\fR +This parameter may be used to override the +compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons +why you might want to do this. + +On System V systems that use \fBlpstat\fR to +list available printers you can use \fBprintcap name = lpstat +\fRto automatically obtain lists of available printers. This +is the default for systems that define SYSV at configure time in +Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on +these systems then Samba will launch \fBlpstat -v\fR and +attempt to parse the output to obtain a printer list. A minimal printcap file would look something like this: -print1|My Printer 1 -print2|My Printer 2 -print3|My Printer 3 -print4|My Printer 4 -print5|My Printer 5 - -where the | separates aliases of a printer. The fact that the second -alias has a space in it gives a hint to Samba that it's a comment. - -NOTE: Under AIX the default printcap name is "/etc/qconfig". Samba -will assume the file is in AIX "qconfig" format if the string -"/qconfig" appears in the printcap filename. - -.B Default: - printcap name = /etc/printcap - -.B Example: - printcap name = /etc/myprintcap -.SS printer (S) -A synonym for this parameter is 'printer name'. - -This parameter specifies the name of the printer to which print jobs spooled -through a printable service will be sent. - -If specified in the [global] section, the printer name given will be used -for any printable service that does not have its own printer name specified. - -.B Default: - none (but may be 'lp' on many systems) - -.B Example: - printer name = laserwriter -.SS printer name (S) -See -.B printer. -.SS protocol (G) -The value of the parameter (a string) is the highest protocol level that will -be supported by the server. - -Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative -merits of each are discussed in the README file. - -.B Default: - protocol = NT1 - -.B Example: - protocol = LANMAN1 -.SS public (S) -A synonym for this parameter is 'guest ok'. - -If this parameter is 'yes' for a service, then no password is required -to connect to the service. Privileges will be those of the guest -account. - -See the section below on user/password validation for more information about -this option. - -.B Default: - public = no - -.B Example: - public = yes -.SS read list (S) -This is a list of users that are given read-only access to a -service. If the connecting user is in this list then they will -not be given write access, no matter what the "read only" option -is set to. The list can include group names using the @group syntax. - -See also the "write list" option - -.B Default: - read list = - -.B Example: - read list = mary, @students - -.SS read only (S) -See -.B writable -and -.B write ok. -Note that this is an inverted synonym for writable and write ok. -.SS read prediction (G) -This options enables or disables the read prediction code used to -speed up reads from the server. When enabled the server will try to -pre-read data from the last accessed file that was opened read-only -while waiting for packets. - -.SS Default: - read prediction = False - -.SS Example: - read prediction = True -.SS read raw (G) -This parameter controls whether or not the server will support raw reads when -transferring data to clients. - -If enabled, raw reads allow reads of 65535 bytes in one packet. This -typically provides a major performance benefit. - -However, some clients either negotiate the allowable block size incorrectly -or are incapable of supporting larger block sizes, and for these clients you -may need to disable raw reads. - -In general this parameter should be viewed as a system tuning tool and left -severely alone. See also -.B write raw. - -.B Default: - read raw = yes - -.B Example: - read raw = no -.SS read size (G) - -The option "read size" affects the overlap of disk reads/writes with -network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk. - -This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other. - -The default value is 2048, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the best -value will vary greatly between systems anyway. A value over 65536 is -pointless and will cause you to allocate memory unnecessarily. - -.B Default: - read size = 2048 - -.B Example: - read size = 8192 - -.SS revalidate (S) - -This options controls whether Samba will allow a previously validated -username/password pair to be used to attach to a share. Thus if you -connect to \\\\server\\share1 then to \\\\server\\share2 it won't -automatically allow the client to request connection to the second -share as the same username as the first without a password. - -If "revalidate" is True then the client will be denied automatic -access as the same username. - -.B Default: - revalidate = False - -.B Example: - revalidate = True - -.SS root (G) -See -.B root directory. -.SS root dir (G) -See -.B root directory. -.SS root directory (G) -Synonyms for this parameter are 'root dir' and 'root'. - -The server will chroot() to this directory on startup. This is not -strictly necessary for secure operation. Even without it the server -will deny access to files not in one of the service entries. It may -also check for, and deny access to, soft links to other parts of the -filesystem, or attempts to use .. in file names to access other -directories (depending on the setting of the "wide links" parameter). - -Adding a "root dir" entry other than "/" adds an extra level of security, -but at a price. It absolutely ensures that no access is given to files not -in the sub-tree specified in the "root dir" option, *including* some files -needed for complete operation of the server. To maintain full operability -of the server you will need to mirror some system files into the "root dir" -tree. In particular you will need to mirror /etc/passwd (or a subset of it), -and any binaries or configuration files needed for printing (if required). -The set of files that must be mirrored is operating system dependent. - -.B Default: - root directory = / - -.B Example: - root directory = /homes/smb -.SS security (G) -This option does affects how clients respond to Samba. - -The option sets the "security mode bit" in replies to protocol negotiations -to turn share level security on or off. Clients decide based on this bit -whether (and how) to transfer user and password information to the server. - -The default is "security=SHARE", mainly because that was the only -option at one stage. - -The alternatives are "security = user" or "security = server". - -If your PCs use usernames that are the same as their usernames on the -unix machine then you will want to use "security = user". If you -mostly use usernames that don't exist on the unix box then use -"security = share". - -There is a bug in WfWg that may affect your decision. When in user -level security a WfWg client will totally ignore the password you type -in the "connect drive" dialog box. This makes it very difficult (if -not impossible) to connect to a Samba service as anyone except the -user that you are logged into WfWg as. - -If you use "security = server" then Samba will try to validate the -username/password by passing it to another SMB server, such as an NT -box. If this fails it will revert to "security = USER". - -See the "password server" option for more details. - -.B Default: - security = SHARE - -.B Example: - security = USER -.SS server string (G) -This controls what string will show up in the printer comment box in -print manager and next to the IPC connection in "net view". It can be -any string that you wish to show to your users. - -Note that it DOES NOT affect the string that appears in browse -lists. That is controlled by a nmbd command line option instead. - -A %v will be replaced with the Samba version number. - -A %h will be replaced with the hostname. - -.B Default: - server string = Samba %v - -.B Example: - server string = University of GNUs Samba Server - -.SS smbrun (G) -This sets the full path to the smbrun binary. This defaults to the -value in the Makefile. - -You must get this path right for many services to work correctly. - -.B Default: taken from Makefile - -.B Example: - smbrun = /usr/local/samba/bin/smbrun - -.SS short preserve case (S) - -This controls if new short filenames are created with the case that -the client passes, or if they are forced to be the "default" case. - -.B Default: - short preserve case = no - -See the section on "NAME MANGLING" for a fuller discussion. - -.SS root preexec (S) - -This is the same as preexec except that the command is run as -root. This is useful for mounting filesystems (such as cdroms) before -a connection is finalised. - -.SS root postexec (S) - -This is the same as postexec except that the command is run as -root. This is useful for unmounting filesystems (such as cdroms) after -a connection is closed. - -.SS set directory (S) -If 'set directory = no', then users of the service may not use the setdir -command to change directory. - -The setdir comand is only implemented in the Digital Pathworks client. See the -Pathworks documentation for details. -.B Default: - set directory = no - -.B Example: - set directory = yes - -.SS share modes (S) - -This enables or disables the honouring of the "share modes" during a -file open. These modes are used by clients to gain exclusive read or -write access to a file. - -These open modes are not directly supported by unix, so they are -simulated using lock files in the "lock directory". The "lock -directory" specified in smb.conf must be readable by all users. - -The share modes that are enabled by this option are DENY_DOS, -DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB. - -Enabling this option gives full share compatability but may cost a bit -of processing time on the unix server. They are enabled by default. - -.B Default: - share modes = yes - -.B Example: - share modes = no - -.SS socket options (G) -This option (which can also be invoked with the -O command line -option) allows you to set socket options to be used when talking with -the client. - -Socket options are controls on the networking layer of the operating -systems which allow the connection to be tuned. - -This option will typically be used to tune your Samba server for -optimal performance for your local network. There is no way that Samba -can know what the optimal parameters are for your net, so you must -experiment and choose them yourself. I strongly suggest you read the -appropriate documentation for your operating system first (perhaps -"man setsockopt" will help). - -You may find that on some systems Samba will say "Unknown socket -option" when you supply an option. This means you either mis-typed it -or you need to add an include file to includes.h for your OS. If the -latter is the case please send the patch to me -(samba-bugs@anu.edu.au). - -Any of the supported socket options may be combined in any way you -like, as long as your OS allows it. - -This is the list of socket options currently settable using this -option: - - SO_KEEPALIVE - - SO_REUSEADDR - - SO_BROADCAST - - TCP_NODELAY - - IPTOS_LOWDELAY - - IPTOS_THROUGHPUT - - SO_SNDBUF * - - SO_RCVBUF * - - SO_SNDLOWAT * - - SO_RCVLOWAT * - -Those marked with a * take an integer argument. The others can -optionally take a 1 or 0 argument to enable or disable the option, by -default they will be enabled if you don't specify 1 or 0. - -To specify an argument use the syntax SOME_OPTION=VALUE for example -SO_SNDBUF=8192. Note that you must not have any spaces before or after -the = sign. - -If you are on a local network then a sensible option might be - -socket options = IPTOS_LOWDELAY - -If you have an almost unloaded local network and you don't mind a lot -of extra CPU usage in the server then you could try - -socket options = IPTOS_LOWDELAY TCP_NODELAY - -If you are on a wide area network then perhaps try setting -IPTOS_THROUGHPUT. - -Note that several of the options may cause your Samba server to fail -completely. Use these options with caution! - -.B Default: - no socket options - -.B Example: - socket options = IPTOS_LOWDELAY - - - - -.SS status (G) -This enables or disables logging of connections to a status file that -smbstatus can read. - -With this disabled smbstatus won't be able to tell you what -connections are active. - -.B Default: - status = yes - -.B Example: - status = no - -.SS strip dot (G) -This is a boolean that controls whether to strup trailing dots off -filenames. This helps with some CDROMs that have filenames ending in a -single dot. - -NOTE: This option is now obsolete, and may be removed in future. You -should use the "mangled map" option instead as it is much more -general. - -.SS strict locking (S) -This is a boolean that controls the handling of file locking in the -server. When this is set to yes the server will check every read and -write access for file locks, and deny access if locks exist. This can -be slow on some systems. - -When strict locking is "no" the server does file lock checks only when -the client explicitly asks for them. - -Well behaved clients always ask for lock checks when it is important, -so in the vast majority of cases "strict locking = no" is preferable. - -.B Default: - strict locking = no - -.B Example: - strict locking = yes - -.SS sync always (S) - -This is a boolean parameter that controls whether writes will always -be written to stable storage before the write call returns. If this is -false then the server will be guided by the clients request in each -write call (clients can set a bit indicating that a particular write -should be synchronous). If this is true then every write will be -followed by a fsync() call to ensure the data is written to disk. - -.B Default: - sync always = no - -.B Example: - sync always = yes - -.SS time offset (G) -This parameter is a setting in minutes to add to the normal GMT to -local time conversion. This is useful if you are serving a lot of PCs -that have incorrect daylight saving time handling. - -.B Default: - time offset = 0 - -.B Example: - time offset = 60 - -.SS user (S) -See -.B username. -.SS username (S) -A synonym for this parameter is 'user'. - -Multiple users may be specified in a comma-delimited list, in which case the -supplied password will be tested against each username in turn (left to right). - -The username= line is needed only when the PC is unable to supply it's own -username. This is the case for the coreplus protocol or where your -users have different WfWg usernames to unix usernames. In both these -cases you may also be better using the \\\\server\\share%user syntax -instead. - -The username= line is not a great solution in many cases as it means Samba -will try to validate the supplied password against each of the -usernames in the username= line in turn. This is slow and a bad idea for -lots of users in case of duplicate passwords. You may get timeouts or -security breaches using this parameter unwisely. - -Samba relies on the underlying unix security. This parameter does not -restrict who can login, it just offers hints to the Samba server as to -what usernames might correspond to the supplied password. Users can -login as whoever they please and they will be able to do no more -damage than if they started a telnet session. The daemon runs as the -user that they log in as, so they cannot do anything that user cannot -do. - -To restrict a service to a particular set of users you can use the -"valid users=" line. - -If any of the usernames begin with a @ then the name will be looked up -in the groups file and will expand to a list of all users in the group -of that name. Note that searching though a groups file can take quite -some time, and some clients may time out during the search. - -See the section below on username/password validation for more information -on how this parameter determines access to the services. - -.B Default: - The guest account if a guest service, else the name of the service. - -.B Examples: - username = fred - username = fred, mary, jack, jane, @users, @pcgroup - -.SS username map (G) - -This option allows you to to specify a file containing a mapping of -usernames from the clients to the server. This can be used for several -purposes. The most common is to map usernames that users use on dos or -windows machines to those that the unix box uses. The other is to map -multiple users to a single username so that they can more easily share -files. - -The map file is parsed line by line. Each line should contain a single -unix username on the left then a '=' followed by a list of usernames -on the right. The list of usernames on the right may contain names of -the form @group in which case they will match any unix username in -that group. The special client name '*' is a wildcard and matches any -name. - -The file is processed on each line by taking the supplied username and -comparing it with each username on the right hand side of the '=' -signs. If the supplied name matrches any of the names on the right -hand side then it is replaced with the name on the left. Processing -then continues with the next line. - -If any line begins with a '#' or a ';' then it is ignored - -For example to map from he name "admin" or "administrator" to the unix -name "root" you would use - - root = admin administrator - -Or to map anyone in the unix group "system" to the unix name "sys" you -would use - - sys = @system - -You can have as many mappings as you like in a username map file. - -Note that the remapping is applied to all occurances of -usernames. Thus if you connect to "\\\\server\\fred" and "fred" is -remapped to "mary" then you will actually be connecting to -"\\\\server\\mary" and will need to supply a password suitable for -"mary" not "fred". The only exception to this is the username passwed -to the "password server" (if you have one). The password server will -receive whatever username the client supplies without modification. - -Also note that no reverse mapping is done. The main effect this has is -with printing. Users who have been mapped may have trouble deleting -print jobs as PrintManager under WfWg will think they don't own the -print job. - -.B Default - no username map - -.B Example - username map = /usr/local/samba/lib/users.map - -.SS valid chars (S) - -The option allows you to specify additional characters that should be -considered valid by the server in filenames. This is particularly -useful for national character sets, such as adding u-umlaut or a-ring. - -The option takes a list of characters in either integer or character -form with spaces between them. If you give two characters with a colon -between them then it will be taken as an lowercase:uppercase pair. - -If you have an editor capable of entering the characters into the -config file then it is probably easiest to use this method. Otherwise -you can specify the characters in octal, decimal or hexidecimal form -using the usual C notation. - -For example to add the single character 'Z' to the charset (which is a -pointless thing to do as it's already there) you could do one of the -following - -valid chars = Z -valid chars = z:Z -valid chars = 0132:0172 - -The last two examples above actually add two characters, and alters -the uppercase and lowercase mappings appropriately. - -.B Default - Samba defaults to using a reasonable set of valid characters - for english systems - -.B Example - valid chars = 0345:0305 0366:0326 0344:0304 - -The above example allows filenames to have the swedish characters in -them. - -.SS valid users (S) -This is a list of users that should be allowed to login to this -service. A name starting with @ is interpreted as a unix group. - -If this is empty (the default) then any user can login. If a username -is in both this list and the "invalid users" list then access is -denied for that user. - -The current servicename is substituted for %S. This is useful in the -[homes] section. - -See also "invalid users" - -.B Default - No valid users list. (anyone can login) - -.B Example - valid users = greg, @pcusers - -.SS volume (S) -This allows you to override the volume label returned for a -share. Useful for CDROMs whos installation programs insist on a -particular volume label. - -The default is the name of the share - -.SS wide links (S) -This parameter controls whether or not links in the Unix file system may be -followed by the server. Links that point to areas within the directory tree -exported by the server are always allowed; this parameter controls access -only to areas that are outside the directory tree being exported. - -.B Default: - wide links = yes - -.B Example: - wide links = no - -.SS workgroup (G) - -This controls what workgroup your server will appear to be in when -queried by clients. This can be different to the workgroup specified -in the nmbd configuration, but it is probably best if you set them to -the same value. - -.B Default: - set in the Makefile - -.B Example: - workgroup = MYGROUP +.sp +.nf + print1|My Printer 1 + print2|My Printer 2 + print3|My Printer 3 + print4|My Printer 4 + print5|My Printer 5 + +.sp +.fi + +where the '|' separates aliases of a printer. The fact +that the second alias has a space in it gives a hint to Samba +that it's a comment. + +\fBNOTE\fR: Under AIX the default printcap +name is \fI/etc/qconfig\fR. Samba will assume the +file is in AIX \fIqconfig\fR format if the string +\fIqconfig\fR appears in the printcap filename. + +Default: \fBprintcap name = /etc/printcap\fR + +Example: \fBprintcap name = /etc/myprintcap\fR +.TP +\fBprinter admin (S)\fR +This is a list of users that can do anything to +printers via the remote administration interfaces offered by MS-RPC +(usually using a NT workstation). Note that the root user always +has admin rights. + +Default: \fBprinter admin = <empty string>\fR + +Example: \fBprinter admin = admin, @staff\fR +.TP +\fBprinter driver (S)\fR +\fBNote :\fRThis is a deprecated +parameter and will be removed in the next major release +following version 2.2. Please see the instructions in +the Samba 2.2. Printing +HOWTOfor more information +on the new method of loading printer drivers onto a Samba server. + +This option allows you to control the string +that clients receive when they ask the server for the printer driver +associated with a printer. If you are using Windows95 or Windows NT +then you can use this to automate the setup of printers on your +system. + +You need to set this parameter to the exact string (case +sensitive) that describes the appropriate printer driver for your +system. If you don't know the exact string to use then you should +first try with no \fI printer driver\fR option set and the client will +give you a list of printer drivers. The appropriate strings are +shown in a scroll box after you have chosen the printer manufacturer. + +See also \fIprinter +driver file\fR. + +Example: \fBprinter driver = HP LaserJet 4L\fR +.TP +\fBprinter driver file (G)\fR +\fBNote :\fRThis is a deprecated +parameter and will be removed in the next major release +following version 2.2. Please see the instructions in +the Samba 2.2. Printing +HOWTOfor more information +on the new method of loading printer drivers onto a Samba server. + +This parameter tells Samba where the printer driver +definition file, used when serving drivers to Windows 95 clients, is +to be found. If this is not set, the default is : + +\fISAMBA_INSTALL_DIRECTORY +/lib/printers.def\fR + +This file is created from Windows 95 \fImsprint.inf +\fRfiles found on the Windows 95 client system. For more +details on setting up serving of printer drivers to Windows 95 +clients, see the outdated documentation file in the \fIdocs/\fR +directory, \fIPRINTER_DRIVER.txt\fR. + +See also \fI printer driver location\fR. + +Default: \fBNone (set in compile).\fR + +Example: \fBprinter driver file = +/usr/local/samba/printers/drivers.def\fR +.TP +\fBprinter driver location (S)\fR +\fBNote :\fRThis is a deprecated +parameter and will be removed in the next major release +following version 2.2. Please see the instructions in +the Samba 2.2. Printing +HOWTOfor more information +on the new method of loading printer drivers onto a Samba server. + +This parameter tells clients of a particular printer +share where to find the printer driver files for the automatic +installation of drivers for Windows 95 machines. If Samba is set up +to serve printer drivers to Windows 95 machines, this should be set to + +\fB\\\\MACHINE\\PRINTER$\fR + +Where MACHINE is the NetBIOS name of your Samba server, +and PRINTER$ is a share you set up for serving printer driver +files. For more details on setting this up see the outdated documentation +file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR. + +See also \fI printer driver file\fR. + +Default: \fBnone\fR + +Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$ +\fR.TP +\fBprinter name (S)\fR +This parameter specifies the name of the printer +to which print jobs spooled through a printable service will be sent. + +If specified in the [global] section, the printer +name given will be used for any printable service that does +not have its own printer name specified. + +Default: \fBnone (but may be lp +on many systems)\fR + +Example: \fBprinter name = laserwriter\fR +.TP +\fBprinter (S)\fR +Synonym for \fI printer name\fR. +.TP +\fBprinting (S)\fR +This parameters controls how printer status +information is interpreted on your system. It also affects the +default values for the \fIprint command\fR, +\fIlpq command\fR, \fIlppause command +\fR, \fIlpresume command\fR, and +\fIlprm command\fR if specified in the +[global] section. + +Currently nine printing styles are supported. They are +BSD, AIX, +LPRNG, PLP, +SYSV, HPUX, +QNX, SOFTQ, +and CUPS. + +To see what the defaults are for the other print +commands when using the various options use the testparm(1)program. + +This option can be set on a per printer basis + +See also the discussion in the [printers] section. +.TP +\fBprivate dir (G)\fR +This parameters defines the directory +smbd will use for storing such files as \fIsmbpasswd\fR +and \fIsecrets.tdb\fR. + +Default :\fBprivate dir = ${prefix}/private\fR +.TP +\fBprotocol (G)\fR +Synonym for \fImax protocol\fR. +.TP +\fBpublic (S)\fR +Synonym for \fIguest +ok\fR. +.TP +\fBqueuepause command (S)\fR +This parameter specifies the command to be +executed on the server host in order to pause the printer queue. + +This command should be a program or script which takes +a printer name as its only parameter and stops the printer queue, +such that no longer jobs are submitted to the printer. + +This command is not supported by Windows for Workgroups, +but can be issued from the Printers window under Windows 95 +and NT. + +If a \fI%p\fR is given then the printer name +is put in its place. Otherwise it is placed at the end of the command. + +Note that it is good practice to include the absolute +path in the command as the PATH may not be available to the +server. -.SS write ok (S) -See -.B writable -and -.B read only. -.SS writable (S) -A synonym for this parameter is 'write ok'. An inverted synonym is 'read only'. - -If this parameter is 'no', then users of a service may not create or modify -files in the service's directory. - -Note that a printable service ('printable = yes') will ALWAYS allow -writing to the directory (user privileges permitting), but only via -spooling operations. - -.B Default: - writable = no - -.B Examples: - read only = no - writable = yes - write ok = yes -.SS write list (S) -This is a list of users that are given read-write access to a -service. If the connecting user is in this list then they will be -given write access, no matter what the "read only" option is set -to. The list can include group names using the @group syntax. - -Note that if a user is in both the read list and the write list then -they will be given write access. - -See also the "read list" option - -.B Default: - write list = - -.B Example: - write list = admin, root, @staff - -.SS write raw (G) -This parameter controls whether or not the server will support raw writes when -transferring data from clients. - -.B Default: - write raw = yes - -.B Example: - write raw = no -.SH NOTE ABOUT USERNAME/PASSWORD VALIDATION -There are a number of ways in which a user can connect to a -service. The server follows the following steps in determining if it -will allow a connection to a specified service. If all the steps fail -then the connection request is rejected. If one of the steps pass then -the following steps are not checked. - -If the service is marked "guest only = yes" then steps 1 to 5 are skipped - -Step 1: If the client has passed a username/password pair and that -username/password pair is validated by the unix systems password -programs then the connection is made as that username. Note that this -includes the \\\\server\\service%username method of passing a username. - -Step 2: If the client has previously registered a username with the -system and now supplies a correct password for that username then the -connection is allowed. - -Step 3: The clients netbios name and any previously used user names -are checked against the supplied password, if they match then the -connection is allowed as the corresponding user. - -Step 4: If the client has previously validated a username/password -pair with the server and the client has passed the validation token -then that username is used. This step is skipped if "revalidate = yes" -for this service. - -Step 5: If a "user = " field is given in the smb.conf file for the -service and the client has supplied a password, and that password -matches (according to the unix systems password checking) with one of -the usernames from the user= field then the connection is made as the -username in the "user=" line. If one of the username in the user= list -begins with a @ then that name expands to a list of names in the group -of the same name. - -Step 6: If the service is a guest service then a connection is made as -the username given in the "guest account =" for the service, -irrespective of the supplied password. - - -.SH WARNINGS -Although the configuration file permits service names to contain spaces, -your client software may not. Spaces will be ignored in comparisons anyway, -so it shouldn't be a problem - but be aware of the possibility. - -On a similar note, many clients - especially DOS clients - limit service -names to eight characters. Smbd has no such limitation, but attempts -to connect from such clients will fail if they truncate the service names. -For this reason you should probably keep your service names down to eight -characters in length. - -Use of the [homes] and [printers] special sections make life for an -administrator easy, but the various combinations of default attributes can be -tricky. Take extreme care when designing these sections. In particular, -ensure that the permissions on spool directories are correct. -.SH VERSION -This man page is (mostly) correct for version 1.9.00 of the Samba suite, plus some -of the recent patches to it. These notes will necessarily lag behind -development of the software, so it is possible that your version of -the server has extensions or parameter semantics that differ from or are not -covered by this man page. Please notify these to the address below for -rectification. - -Prior to version 1.5.21 of the Samba suite, the configuration file was -radically different (more primitive). If you are using a version earlier than -1.8.05, it is STRONGLY recommended that you upgrade. -.SH OPTIONS -Not applicable. - -.SH FILES -Not applicable. - -.SH ENVIRONMENT VARIABLES -Not applicable. - -.SH SEE ALSO -.B smbd(8), -.B smbclient(1), -.B nmbd(8), -.B testparm(1), -.B testprns(1), -.B lpq(1), -.B hosts_access(5) -.SH DIAGNOSTICS -[This section under construction] - -Most diagnostics issued by the server are logged in a specified log file. The -log file name is specified at compile time, but may be overridden on the -smbd (see smbd(8)) command line. - -The number and nature of diagnostics available depends on the debug level used -by the server. If you have problems, set the debug level to 3 and peruse the -log files. - -Most messages are reasonably self-explanatory. Unfortunately, at time of -creation of this man page the source code is still too fluid to warrant -describing each and every diagnostic. At this stage your best bet is still -to grep the source code and inspect the conditions that gave rise to the -diagnostics you are seeing. - -.SH BUGS -None known. - -Please send bug reports, comments and so on to: - -.RS 3 -.B samba-bugs@anu.edu.au (Andrew Tridgell) - -.RS 3 -or to the mailing list -.RE +Default: \fBdepends on the setting of \fIprinting +\fB\fR +Example: \fBqueuepause command = disable %p\fR +.TP +\fBqueueresume command (S)\fR +This parameter specifies the command to be +executed on the server host in order to resume the printer queue. It +is the command to undo the behavior that is caused by the +previous parameter (\fI queuepause command\fR). + +This command should be a program or script which takes +a printer name as its only parameter and resumes the printer queue, +such that queued jobs are resubmitted to the printer. + +This command is not supported by Windows for Workgroups, +but can be issued from the Printers window under Windows 95 +and NT. + +If a \fI%p\fR is given then the printer name +is put in its place. Otherwise it is placed at the end of the +command. -.B samba@listproc.anu.edu.au +Note that it is good practice to include the absolute +path in the command as the PATH may not be available to the +server. +Default: \fBdepends on the setting of \fIprinting\fB\fR + +Example: \fBqueuepause command = enable %p +\fR.TP +\fBread bmpx (G)\fR +This boolean parameter controls whether smbd(8)will support the "Read +Block Multiplex" SMB. This is now rarely used and defaults to +no. You should never need to set this +parameter. + +Default: \fBread bmpx = no\fR +.TP +\fBread list (S)\fR +This is a list of users that are given read-only +access to a service. If the connecting user is in this list then +they will not be given write access, no matter what the \fIwriteable\fR +option is set to. The list can include group names using the +syntax described in the \fI invalid users\fR parameter. + +See also the \fI write list\fR parameter and the \fIinvalid users\fR +parameter. + +Default: \fBread list = <empty string>\fR + +Example: \fBread list = mary, @students\fR +.TP +\fBread only (S)\fR +Note that this is an inverted synonym for \fIwriteable\fR. +.TP +\fBread raw (G)\fR +This parameter controls whether or not the server +will support the raw read SMB requests when transferring data +to clients. + +If enabled, raw reads allow reads of 65535 bytes in +one packet. This typically provides a major performance benefit. + +However, some clients either negotiate the allowable +block size incorrectly or are incapable of supporting larger block +sizes, and for these clients you may need to disable raw reads. + +In general this parameter should be viewed as a system tuning +tool and left severely alone. See also \fIwrite raw\fR. + +Default: \fBread raw = yes\fR +.TP +\fBread size (G)\fR +The option \fIread size\fR +affects the overlap of disk reads/writes with network reads/writes. +If the amount of data being transferred in several of the SMB +commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger +than this value then the server begins writing the data before it +has received the whole packet from the network, or in the case of +SMBreadbraw, it begins writing to the network before all the data +has been read from disk. + +This overlapping works best when the speeds of disk and +network access are similar, having very little effect when the +speed of one is much greater than the other. + +The default value is 16384, but very little experimentation +has been done yet to determine the optimal value, and it is likely +that the best value will vary greatly between systems anyway. +A value over 65536 is pointless and will cause you to allocate +memory unnecessarily. + +Default: \fBread size = 16384\fR + +Example: \fBread size = 8192\fR +.TP +\fBremote announce (G)\fR +This option allows you to setup nmbd(8)to periodically announce itself +to arbitrary IP addresses with an arbitrary workgroup name. + +This is useful if you want your Samba server to appear +in a remote workgroup for which the normal browse propagation +rules don't work. The remote workgroup can be anywhere that you +can send IP packets to. + +For example: + +\fBremote announce = 192.168.2.255/SERVERS +192.168.4.255/STAFF\fR + +the above line would cause \fBnmbd\fR to announce itself +to the two given IP addresses using the given workgroup names. +If you leave out the workgroup name then the one given in +the \fIworkgroup\fR +parameter is used instead. + +The IP addresses you choose would normally be the broadcast +addresses of the remote networks, but can also be the IP addresses +of known browse masters if your network config is that stable. + +See the documentation file \fIBROWSING.txt\fR +in the \fIdocs/\fR directory. + +Default: \fBremote announce = <empty string> +\fR.TP +\fBremote browse sync (G)\fR +This option allows you to setup nmbd(8)to periodically request +synchronization of browse lists with the master browser of a Samba +server that is on a remote segment. This option will allow you to +gain browse lists for multiple workgroups across routed networks. This +is done in a manner that does not work with any non-Samba servers. + +This is useful if you want your Samba server and all local +clients to appear in a remote workgroup for which the normal browse +propagation rules don't work. The remote workgroup can be anywhere +that you can send IP packets to. + +For example: + +\fBremote browse sync = 192.168.2.255 192.168.4.255 +\fR +the above line would cause \fBnmbd\fR to request +the master browser on the specified subnets or addresses to +synchronize their browse lists with the local server. + +The IP addresses you choose would normally be the broadcast +addresses of the remote networks, but can also be the IP addresses +of known browse masters if your network config is that stable. If +a machine IP address is given Samba makes NO attempt to validate +that the remote machine is available, is listening, nor that it +is in fact the browse master on its segment. + +Default: \fBremote browse sync = <empty string> +\fR.TP +\fBrestrict anonymous (G)\fR +This is a boolean parameter. If it is true, then +anonymous access to the server will be restricted, namely in the +case where the server is expecting the client to send a username, +but it doesn't. Setting it to true will force these anonymous +connections to be denied, and the client will be required to always +supply a username and password when connecting. Use of this parameter +is only recommended for homogeneous NT client environments. + +This parameter makes the use of macro expansions that rely +on the username (%U, %G, etc) consistent. NT 4.0 +likes to use anonymous connections when refreshing the share list, +and this is a way to work around that. + +When restrict anonymous is true, all anonymous connections +are denied no matter what they are for. This can effect the ability +of a machine to access the Samba Primary Domain Controller to revalidate +its machine account after someone else has logged on the client +interactively. The NT client will display a message saying that +the machine's account in the domain doesn't exist or the password is +bad. The best way to deal with this is to reboot NT client machines +between interactive logons, using "Shutdown and Restart", rather +than "Close all programs and logon as a different user". + +Default: \fBrestrict anonymous = no\fR +.TP +\fBroot (G)\fR +Synonym for \fIroot directory"\fR. +.TP +\fBroot dir (G)\fR +Synonym for \fIroot directory"\fR. +.TP +\fBroot directory (G)\fR +The server will \fBchroot()\fR (i.e. +Change its root directory) to this directory on startup. This is +not strictly necessary for secure operation. Even without it the +server will deny access to files not in one of the service entries. +It may also check for, and deny access to, soft links to other +parts of the filesystem, or attempts to use ".." in file names +to access other directories (depending on the setting of the \fIwide links\fR +parameter). + +Adding a \fIroot directory\fR entry other +than "/" adds an extra level of security, but at a price. It +absolutely ensures that no access is given to files not in the +sub-tree specified in the \fIroot directory\fR +option, \fBincluding\fR some files needed for +complete operation of the server. To maintain full operability +of the server you will need to mirror some system files +into the \fIroot directory\fR tree. In particular +you will need to mirror \fI/etc/passwd\fR (or a +subset of it), and any binaries or configuration files needed for +printing (if required). The set of files that must be mirrored is +operating system dependent. + +Default: \fBroot directory = /\fR + +Example: \fBroot directory = /homes/smb\fR +.TP +\fBroot postexec (S)\fR +This is the same as the \fIpostexec\fR +parameter except that the command is run as root. This +is useful for unmounting filesystems +(such as CDROMs) after a connection is closed. + +See also \fI postexec\fR. + +Default: \fBroot postexec = <empty string> +\fR.TP +\fBroot preexec (S)\fR +This is the same as the \fIpreexec\fR +parameter except that the command is run as root. This +is useful for mounting filesystems (such as CDROMs) when a +connection is opened. + +See also \fI preexec\fR and \fIpreexec close\fR. + +Default: \fBroot preexec = <empty string> +\fR.TP +\fBroot preexec close (S)\fR +This is the same as the \fIpreexec close +\fRparameter except that the command is run as root. + +See also \fI preexec\fR and \fIpreexec close\fR. + +Default: \fBroot preexec close = no\fR +.TP +\fBsecurity (G)\fR +This option affects how clients respond to +Samba and is one of the most important settings in the \fI smb.conf\fR file. + +The option sets the "security mode bit" in replies to +protocol negotiations with smbd(8) +to turn share level security on or off. Clients decide +based on this bit whether (and how) to transfer user and password +information to the server. + +The default is \fBsecurity = user\fR, as this is +the most common setting needed when talking to Windows 98 and +Windows NT. + +The alternatives are \fBsecurity = share\fR, +\fBsecurity = server\fR or \fBsecurity = domain +\fR\&. + +In versions of Samba prior to 2.0.0, the default was +\fBsecurity = share\fR mainly because that was +the only option at one stage. + +There is a bug in WfWg that has relevance to this +setting. When in user or server level security a WfWg client +will totally ignore the password you type in the "connect +drive" dialog box. This makes it very difficult (if not impossible) +to connect to a Samba service as anyone except the user that +you are logged into WfWg as. + +If your PCs use usernames that are the same as their +usernames on the UNIX machine then you will want to use +\fBsecurity = user\fR. If you mostly use usernames +that don't exist on the UNIX box then use \fBsecurity = +share\fR. + +You should also use \fBsecurity = share\fR if you +want to mainly setup shares without a password (guest shares). This +is commonly used for a shared printer server. It is more difficult +to setup guest shares with \fBsecurity = user\fR, see +the \fImap to guest\fR +parameter for details. + +It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share +level security under different \fINetBIOS aliases\fR. + +The different settings will now be explained. + +\fBSECURITY = SHARE +\fR +When clients connect to a share level security server they +need not log onto the server with a valid username and password before +attempting to connect to a shared resource (although modern clients +such as Windows 95/98 and Windows NT will send a logon request with +a username but no password when talking to a \fBsecurity = share +\fRserver). Instead, the clients send authentication information +(passwords) on a per-share basis, at the time they attempt to connect +to that share. + +Note that \fBsmbd\fR \fBALWAYS\fR +uses a valid UNIX user to act on behalf of the client, even in +\fBsecurity = share\fR level security. + +As clients are not required to send a username to the server +in share level security, \fBsmbd\fR uses several +techniques to determine the correct UNIX user to use on behalf +of the client. + +A list of possible UNIX usernames to match with the given +client password is constructed using the following methods : +.RS +.TP 0.2i +\(bu +If the \fIguest +only\fR parameter is set, then all the other +stages are missed and only the \fIguest account\fR username is checked. +.TP 0.2i +\(bu +Is a username is sent with the share connection +request, then this username (after mapping - see \fIusername map\fR), +is added as a potential username. +.TP 0.2i +\(bu +If the client did a previous \fBlogon +\fRrequest (the SessionSetup SMB call) then the +username sent in this SMB will be added as a potential username. +.TP 0.2i +\(bu +The name of the service the client requested is +added as a potential username. +.TP 0.2i +\(bu +The NetBIOS name of the client is added to +the list as a potential username. +.TP 0.2i +\(bu +Any users on the \fI user\fR list are added as potential usernames. .RE -You may also like to subscribe to the announcement channel +.PP +If the \fIguest only\fR parameter is +not set, then this list is then tried with the supplied password. +The first user for whom the password matches will be used as the +UNIX user. +.PP +.PP +If the \fIguest only\fR parameter is +set, or no username can be determined then if the share is marked +as available to the \fIguest account\fR, then this +guest user will be used, otherwise access is denied. +.PP +.PP +Note that it can be \fBvery\fR confusing +in share-level security as to which UNIX username will eventually +be used in granting access. +.PP +.PP +See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. +.PP +.PP +\fBSECURITY = USER +\fR.PP +.PP +This is the default security setting in Samba 2.2. +With user-level security a client must first "log-on" with a +valid username and password (which can be mapped using the \fIusername map\fR +parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also +be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and +may change the UNIX user to use on this connection, but only after +the user has been successfully authenticated. +.PP +.PP +\fBNote\fR that the name of the resource being +requested is \fBnot\fR sent to the server until after +the server has successfully authenticated the client. This is why +guest shares don't work in user level security without allowing +the server to automatically map unknown users into the \fIguest account\fR. +See the \fImap to guest\fR +parameter for details on doing this. +.PP +.PP +See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. +.PP +.PP +\fBSECURITY = SERVER +\fR.PP +.PP +In this mode Samba will try to validate the username/password +by passing it to another SMB server, such as an NT box. If this +fails it will revert to \fBsecurity = user\fR, but note +that if encrypted passwords have been negotiated then Samba cannot +revert back to checking the UNIX password file, it must have a valid +\fIsmbpasswd\fR file to check users against. See the +documentation file in the \fIdocs/\fR directory +\fIENCRYPTION.txt\fR for details on how to set this +up. +.PP +.PP +\fBNote\fR that from the client's point of +view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals +with the authentication, it does not in any way affect what the +client sees. +.PP +.PP +\fBNote\fR that the name of the resource being +requested is \fBnot\fR sent to the server until after +the server has successfully authenticated the client. This is why +guest shares don't work in user level security without allowing +the server to automatically map unknown users into the \fIguest account\fR. +See the \fImap to guest\fR +parameter for details on doing this. +.PP +.PP +See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. +.PP +.PP +See also the \fIpassword +server\fR parameter and the \fIencrypted passwords\fR +parameter. +.PP +.PP +\fBSECURITY = DOMAIN +\fR.PP +.PP +This mode will only work correctly if smbpasswd(8)has been used to add this +machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR +parameter to be set to true. In this +mode Samba will try to validate the username/password by passing +it to a Windows NT Primary or Backup Domain Controller, in exactly +the same way that a Windows NT Server would do. +.PP +.PP +\fBNote\fR that a valid UNIX user must still +exist as well as the account on the Domain Controller to allow +Samba to have a valid UNIX account to map file access to. +.PP +.PP +\fBNote\fR that from the client's point +of view \fBsecurity = domain\fR is the same as \fBsecurity = user +\fR\&. It only affects how the server deals with the authentication, +it does not in any way affect what the client sees. +.PP +.PP +\fBNote\fR that the name of the resource being +requested is \fBnot\fR sent to the server until after +the server has successfully authenticated the client. This is why +guest shares don't work in user level security without allowing +the server to automatically map unknown users into the \fIguest account\fR. +See the \fImap to guest\fR +parameter for details on doing this. +.PP +.PP +\fBBUG:\fR There is currently a bug in the +implementation of \fBsecurity = domain\fR with respect +to multi-byte character set usernames. The communication with a +Domain Controller must be done in UNICODE and Samba currently +does not widen multi-byte user names to UNICODE correctly, thus +a multi-byte username will not be recognized correctly at the +Domain Controller. This issue will be addressed in a future release. +.PP +.PP +See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. +.PP +.PP +See also the \fIpassword +server\fR parameter and the \fIencrypted passwords\fR +parameter. +.PP +.PP +Default: \fBsecurity = USER\fR +.PP +.PP +Example: \fBsecurity = DOMAIN\fR +.PP +.TP +\fBsecurity mask (S)\fR +This parameter controls what UNIX permission +bits can be modified when a Windows NT client is manipulating +the UNIX permission on a file using the native NT security +dialog box. + +This parameter is applied as a mask (AND'ed with) to +the changed permission bits, thus preventing any bits not in +this mask from being modified. Essentially, zero bits in this +mask may be treated as a set of bits the user is not allowed +to change. + +If not set explicitly this parameter is 0777, allowing +a user to modify all the user/group/world permissions on a file. + +\fBNote\fR that users who can access the +Samba server through other means can easily bypass this +restriction, so it is primarily useful for standalone +"appliance" systems. Administrators of most normal systems will +probably want to leave it set to 0777. + +See also the \fIforce directory security mode\fR, +\fIdirectory +security mask\fR, \fIforce security mode\fR parameters. + +Default: \fBsecurity mask = 0777\fR + +Example: \fBsecurity mask = 0770\fR +.TP +\fBserver string (G)\fR +This controls what string will show up in the +printer comment box in print manager and next to the IPC connection +in \fBnet view\fR. It can be any string that you wish +to show to your users. + +It also sets what will appear in browse lists next +to the machine name. + +A \fI%v\fR will be replaced with the Samba +version number. + +A \fI%h\fR will be replaced with the +hostname. + +Default: \fBserver string = Samba %v\fR + +Example: \fBserver string = University of GNUs Samba +Server\fR +.TP +\fBset directory (S)\fR +If \fBset directory = no\fR, then +users of the service may not use the setdir command to change +directory. + +The \fBsetdir\fR command is only implemented +in the Digital Pathworks client. See the Pathworks documentation +for details. + +Default: \fBset directory = no\fR +.TP +\fBshort preserve case (S)\fR +This boolean parameter controls if new files +which conform to 8.3 syntax, that is all in upper case and of +suitable length, are created upper case, or if they are forced +to be the \fIdefault case +\fR\&. This option can be use with \fBpreserve case = yes\fR +to permit long filenames to retain their case, while short +names are lowered. + +See the section on NAME MANGLING. + +Default: \fBshort preserve case = yes\fR +.TP +\fBshow add printer wizard (G)\fR +With the introduction of MS-RPC based printing support +for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will +appear on Samba hosts in the share listing. Normally this folder will +contain an icon for the MS Add Printer Wizard (APW). However, it is +possible to disable this feature regardless of the level of privilege +of the connected user. + +Under normal circumstances, the Windows NT/2000 client will +open a handle on the printer server with OpenPrinterEx() asking for +Administrator privileges. If the user does not have administrative +access on the print server (i.e is not root or a member of the +\fIprinter admin\fR group), the OpenPrinterEx() +call fails and the client makes another open call with a request for +a lower privilege level. This should succeed, however the APW +icon will not be displayed. + +Disabling the \fIshow add printer wizard\fR +parameter will always cause the OpenPrinterEx() on the server +to fail. Thus the APW icon will never be displayed. \fB Note :\fRThis does not prevent the same user from having +administrative privilege on an individual printer. + +See also \fIaddprinter +command\fR, \fIdeleteprinter command\fR, \fIprinter admin\fR + +Default :\fBshow add printer wizard = yes\fR +.TP +\fBshutdown script (G)\fR +\fBThis parameter only exists in the HEAD cvs branch\fR +This a full path name to a script called by +\fBsmbd(8)\fRthat +should start a shutdown procedure. + +This command will be run as the user connected to the +server. -.RS 3 -samba-announce@listproc.anu.edu.au +%m %t %r %f parameters are expanded + +\fI%m\fR will be substituted with the +shutdown message sent to the server. + +\fI%t\fR will be substituted with the +number of seconds to wait before effectively starting the +shutdown procedure. + +\fI%r\fR will be substituted with the +switch \fB-r\fR. It means reboot after shutdown +for NT. + +\fI%f\fR will be substituted with the +switch \fB-f\fR. It means force the shutdown +even if applications do not respond for NT. + +Default: \fBNone\fR. + +Example: \fBabort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f\fR + +Shutdown script example: +.sp +.nf + #!/bin/bash + + $time=0 + let "time/60" + let "time++" + + /sbin/shutdown $3 $4 +$time $1 & + +.sp +.fi +Shutdown does not return so we need to launch it in background. + +See also \fIabort shutdown script\fR. +.TP +\fBsmb passwd file (G)\fR +This option sets the path to the encrypted +smbpasswd file. By default the path to the smbpasswd file +is compiled into Samba. + +Default: \fBsmb passwd file = ${prefix}/private/smbpasswd +\fR +Example: \fBsmb passwd file = /etc/samba/smbpasswd +\fR.TP +\fBsocket address (G)\fR +This option allows you to control what +address Samba will listen for connections on. This is used to +support multiple virtual interfaces on the one server, each +with a different configuration. + +By default Samba will accept connections on any +address. + +Example: \fBsocket address = 192.168.2.20\fR +.TP +\fBsocket options (G)\fR +This option allows you to set socket options +to be used when talking with the client. + +Socket options are controls on the networking layer +of the operating systems which allow the connection to be +tuned. + +This option will typically be used to tune your Samba +server for optimal performance for your local network. There is +no way that Samba can know what the optimal parameters are for +your net, so you must experiment and choose them yourself. We +strongly suggest you read the appropriate documentation for your +operating system first (perhaps \fBman setsockopt\fR +will help). + +You may find that on some systems Samba will say +"Unknown socket option" when you supply an option. This means you +either incorrectly typed it or you need to add an include file +to includes.h for your OS. If the latter is the case please +send the patch to samba@samba.org <URL:mailto:samba@samba.org>. + +Any of the supported socket options may be combined +in any way you like, as long as your OS allows it. + +This is the list of socket options currently settable +using this option: +.RS +.TP 0.2i +\(bu +SO_KEEPALIVE +.TP 0.2i +\(bu +SO_REUSEADDR +.TP 0.2i +\(bu +SO_BROADCAST +.TP 0.2i +\(bu +TCP_NODELAY +.TP 0.2i +\(bu +IPTOS_LOWDELAY +.TP 0.2i +\(bu +IPTOS_THROUGHPUT +.TP 0.2i +\(bu +SO_SNDBUF * +.TP 0.2i +\(bu +SO_RCVBUF * +.TP 0.2i +\(bu +SO_SNDLOWAT * +.TP 0.2i +\(bu +SO_RCVLOWAT * .RE - -To subscribe to these lists send a message to -listproc@listproc.anu.edu.au with a body of "subscribe samba Your -Name" or "subscribe samba-announce Your Name". - -Errors or suggestions for improvements to the Samba man pages should be -mailed to: - -.RS 3 -.B samba-bugs@anu.edu.au (Andrew Tridgell) +.PP +Those marked with a \fB'*'\fR take an integer +argument. The others can optionally take a 1 or 0 argument to enable +or disable the option, by default they will be enabled if you +don't specify 1 or 0. +.PP +.PP +To specify an argument use the syntax SOME_OPTION = VALUE +for example \fBSO_SNDBUF = 8192\fR. Note that you must +not have any spaces before or after the = sign. +.PP +.PP +If you are on a local network then a sensible option +might be +.PP +.PP +\fBsocket options = IPTOS_LOWDELAY\fR +.PP +.PP +If you have a local network then you could try: +.PP +.PP +\fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR +.PP +.PP +If you are on a wide area network then perhaps try +setting IPTOS_THROUGHPUT. +.PP +.PP +Note that several of the options may cause your Samba +server to fail completely. Use these options with caution! +.PP +.PP +Default: \fBsocket options = TCP_NODELAY\fR +.PP +.PP +Example: \fBsocket options = IPTOS_LOWDELAY\fR +.PP +.TP +\fBsource environment (G)\fR +This parameter causes Samba to set environment +variables as per the content of the file named. + +If the value of this parameter starts with a "|" character +then Samba will treat that value as a pipe command to open and +will set the environment variables from the output of the pipe. + +The contents of the file or the output of the pipe should +be formatted as the output of the standard Unix \fBenv(1) +\fRcommand. This is of the form : + +Example environment entry: + +\fBSAMBA_NETBIOS_NAME = myhostname\fR + +Default: \fBNo default value\fR + +Examples: \fBsource environment = |/etc/smb.conf.sh +\fR +Example: \fBsource environment = +/usr/local/smb_env_vars\fR +.TP +\fBssl (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This variable enables or disables the entire SSL mode. If +it is set to no, the SSL-enabled Samba behaves +exactly like the non-SSL Samba. If set to yes, +it depends on the variables \fI ssl hosts\fR and \fIssl hosts resign\fR whether an SSL +connection will be required. + +Default: \fBssl = no\fR +.TP +\fBssl CA certDir (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This variable defines where to look up the Certification +Authorities. The given directory should contain one file for +each CA that Samba will trust. The file name must be the hash +value over the "Distinguished Name" of the CA. How this directory +is set up is explained later in this document. All files within the +directory that don't fit into this naming scheme are ignored. You +don't need this variable if you don't verify client certificates. + +Default: \fBssl CA certDir = /usr/local/ssl/certs +\fR.TP +\fBssl CA certFile (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This variable is a second way to define the trusted CAs. +The certificates of the trusted CAs are collected in one big +file and this variable points to the file. You will probably +only use one of the two ways to define your CAs. The first choice is +preferable if you have many CAs or want to be flexible, the second +is preferable if you only have one CA and want to keep things +simple (you won't need to create the hashed file names). You +don't need this variable if you don't verify client certificates. + +Default: \fBssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem +\fR.TP +\fBssl ciphers (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This variable defines the ciphers that should be offered +during SSL negotiation. You should not set this variable unless +you know what you are doing. +.TP +\fBssl client cert (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +The certificate in this file is used by \fBsmbclient(1)\fRif it exists. It's needed +if the server requires a client certificate. + +Default: \fBssl client cert = /usr/local/ssl/certs/smbclient.pem +\fR.TP +\fBssl client key (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This is the private key for \fBsmbclient(1)\fR. It's only needed if the +client should have a certificate. + +Default: \fBssl client key = /usr/local/ssl/private/smbclient.pem +\fR.TP +\fBssl compatibility (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This variable defines whether OpenSSL should be configured +for bug compatibility with other SSL implementations. This is +probably not desirable because currently no clients with SSL +implementations other than OpenSSL exist. + +Default: \fBssl compatibility = no\fR +.TP +\fBssl egd socket (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This option is used to define the location of the communiation socket of +an EGD or PRNGD daemon, from which entropy can be retrieved. This option +can be used instead of or together with the \fIssl entropy file\fR +directive. 255 bytes of entropy will be retrieved from the daemon. + +Default: \fBnone\fR +.TP +\fBssl entropy bytes (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This parameter is used to define the number of bytes which should +be read from the \fIssl entropy +file\fR If a -1 is specified, the entire file will +be read. + +Default: \fBssl entropy bytes = 255\fR +.TP +\fBssl entropy file (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This parameter is used to specify a file from which processes will +read "random bytes" on startup. In order to seed the internal pseudo +random number generator, entropy must be provided. On system with a +\fI/dev/urandom\fR device file, the processes +will retrieve its entropy from the kernel. On systems without kernel +entropy support, a file can be supplied that will be read on startup +and that will be used to seed the PRNG. + +Default: \fBnone\fR +.TP +\fBssl hosts (G)\fR +See \fI ssl hosts resign\fR. +.TP +\fBssl hosts resign (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +These two variables define whether Samba will go +into SSL mode or not. If none of them is defined, Samba will +allow only SSL connections. If the \fIssl hosts\fR variable lists +hosts (by IP-address, IP-address range, net group or name), +only these hosts will be forced into SSL mode. If the \fI ssl hosts resign\fR variable lists hosts, only these +hosts will \fBNOT\fR be forced into SSL mode. The syntax for these two +variables is the same as for the \fI hosts allow\fR and \fIhosts deny\fR pair of variables, only +that the subject of the decision is different: It's not the access +right but whether SSL is used or not. + +The example below requires SSL connections from all hosts +outside the local net (which is 192.168.*.*). + +Default: \fBssl hosts = <empty string>\fR + +\fBssl hosts resign = <empty string>\fR + +Example: \fBssl hosts resign = 192.168.\fR +.TP +\fBssl require clientcert (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +If this variable is set to yes, the +server will not tolerate connections from clients that don't +have a valid certificate. The directory/file given in \fIssl CA certDir\fR +and \fIssl CA certFile +\fRwill be used to look up the CAs that issued +the client's certificate. If the certificate can't be verified +positively, the connection will be terminated. If this variable +is set to no, clients don't need certificates. +Contrary to web applications you really \fBshould\fR +require client certificates. In the web environment the client's +data is sensitive (credit card numbers) and the server must prove +to be trustworthy. In a file server environment the server's data +will be sensitive and the clients must prove to be trustworthy. + +Default: \fBssl require clientcert = no\fR +.TP +\fBssl require servercert (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +If this variable is set to yes, the +\fBsmbclient(1)\fR +will request a certificate from the server. Same as +\fIssl require +clientcert\fR for the server. + +Default: \fBssl require servercert = no\fR +.TP +\fBssl server cert (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This is the file containing the server's certificate. +The server \fBmust\fR have a certificate. The +file may also contain the server's private key. See later for +how certificates and private keys are created. + +Default: \fBssl server cert = <empty string> +\fR.TP +\fBssl server key (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This file contains the private key of the server. If +this variable is not defined, the key is looked up in the +certificate file (it may be appended to the certificate). +The server \fBmust\fR have a private key +and the certificate \fBmust\fR +match this private key. + +Default: \fBssl server key = <empty string> +\fR.TP +\fBssl version (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This enumeration variable defines the versions of the +SSL protocol that will be used. ssl2or3 allows +dynamic negotiation of SSL v2 or v3, ssl2 results +in SSL v2, ssl3 results in SSL v3 and +tls1 results in TLS v1. TLS (Transport Layer +Security) is the new standard for SSL. + +Default: \fBssl version = "ssl2or3"\fR +.TP +\fBstat cache (G)\fR +This parameter determines if smbd(8)will use a cache in order to +speed up case insensitive name mappings. You should never need +to change this parameter. + +Default: \fBstat cache = yes\fR +.TP +\fBstat cache size (G)\fR +This parameter determines the number of +entries in the \fIstat cache\fR. You should +never need to change this parameter. + +Default: \fBstat cache size = 50\fR +.TP +\fBstatus (G)\fR +This enables or disables logging of connections +to a status file that smbstatus(1) +can read. + +With this disabled \fBsmbstatus\fR won't be able +to tell you what connections are active. You should never need to +change this parameter. + +Default: \fBstatus = yes\fR +.TP +\fBstrict allocate (S)\fR +This is a boolean that controls the handling of +disk space allocation in the server. When this is set to yes +the server will change from UNIX behaviour of not committing real +disk storage blocks when a file is extended to the Windows behaviour +of actually forcing the disk system to allocate real storage blocks +when a file is created or extended to be a given size. In UNIX +terminology this means that Samba will stop creating sparse files. +This can be slow on some systems. + +When strict allocate is no the server does sparse +disk block allocation when a file is extended. + +Setting this to yes can help Samba return +out of quota messages on systems that are restricting the disk quota +of users. + +Default: \fBstrict allocate = no\fR +.TP +\fBstrict locking (S)\fR +This is a boolean that controls the handling of +file locking in the server. When this is set to yes +the server will check every read and write access for file locks, and +deny access if locks exist. This can be slow on some systems. + +When strict locking is no the server does file +lock checks only when the client explicitly asks for them. + +Well-behaved clients always ask for lock checks when it +is important, so in the vast majority of cases \fBstrict +locking = no\fR is preferable. + +Default: \fBstrict locking = no\fR +.TP +\fBstrict sync (S)\fR +Many Windows applications (including the Windows +98 explorer shell) seem to confuse flushing buffer contents to +disk with doing a sync to disk. Under UNIX, a sync call forces +the process to be suspended until the kernel has ensured that +all outstanding data in kernel disk buffers has been safely stored +onto stable storage. This is very slow and should only be done +rarely. Setting this parameter to no (the +default) means that smbdignores the Windows applications requests for +a sync call. There is only a possibility of losing data if the +operating system itself that Samba is running on crashes, so there is +little danger in this default setting. In addition, this fixes many +performance problems that people have reported with the new Windows98 +explorer shell file copies. + +See also the \fIsync +always>\fR parameter. + +Default: \fBstrict sync = no\fR +.TP +\fBstrip dot (G)\fR +This is a boolean that controls whether to +strip trailing dots off UNIX filenames. This helps with some +CDROMs that have filenames ending in a single dot. + +Default: \fBstrip dot = no\fR +.TP +\fBsync always (S)\fR +This is a boolean parameter that controls +whether writes will always be written to stable storage before +the write call returns. If this is false then the server will be +guided by the client's request in each write call (clients can +set a bit indicating that a particular write should be synchronous). +If this is true then every write will be followed by a \fBfsync() +\fRcall to ensure the data is written to disk. Note that +the \fIstrict sync\fR parameter must be set to +yes in order for this parameter to have +any affect. + +See also the \fIstrict +sync\fR parameter. + +Default: \fBsync always = no\fR +.TP +\fBsyslog (G)\fR +This parameter maps how Samba debug messages +are logged onto the system syslog logging levels. Samba debug +level zero maps onto syslog LOG_ERR, debug +level one maps onto LOG_WARNING, debug level +two maps onto LOG_NOTICE, debug level three +maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG. + +This parameter sets the threshold for sending messages +to syslog. Only messages with debug level less than this value +will be sent to syslog. + +Default: \fBsyslog = 1\fR +.TP +\fBsyslog only (G)\fR +If this parameter is set then Samba debug +messages are logged into the system syslog only, and not to +the debug log files. + +Default: \fBsyslog only = no\fR +.TP +\fBtemplate homedir (G)\fR +When filling out the user information for a Windows NT +user, the winbindd(8)daemon +uses this parameter to fill in the home directory for that user. +If the string \fI%D\fR is present it is substituted +with the user's Windows NT domain name. If the string \fI%U +\fRis present it is substituted with the user's Windows +NT user name. + +Default: \fBtemplate homedir = /home/%D/%U\fR +.TP +\fBtemplate shell (G)\fR +When filling out the user information for a Windows NT +user, the winbindd(8)daemon +uses this parameter to fill in the login shell for that user. + +Default: \fBtemplate shell = /bin/false\fR +.TP +\fBtime offset (G)\fR +This parameter is a setting in minutes to add +to the normal GMT to local time conversion. This is useful if +you are serving a lot of PCs that have incorrect daylight +saving time handling. + +Default: \fBtime offset = 0\fR + +Example: \fBtime offset = 60\fR +.TP +\fBtime server (G)\fR +This parameter determines if +nmbd(8)advertises itself as a time server to Windows +clients. + +Default: \fBtime server = no\fR +.TP +\fBtimestamp logs (G)\fR +Synonym for \fI debug timestamp\fR. +.TP +\fBtotal print jobs (G)\fR +This parameter accepts an integer value which defines +a limit on the maximum number of print jobs that will be accepted +system wide at any given time. If a print job is submitted +by a client which will exceed this number, then smbdwill return an +error indicating that no space is available on the server. The +default value of 0 means that no such limit exists. This parameter +can be used to prevent a server from exceeding its capacity and is +designed as a printing throttle. See also +\fImax print jobs\fR. + +Default: \fBtotal print jobs = 0\fR + +Example: \fBtotal print jobs = 5000\fR +.TP +\fBunix extensions(G)\fR +This boolean parameter controls whether Samba +implments the CIFS UNIX extensions, as defined by HP. These +extensions enable CIFS to server UNIX clients to UNIX servers +better, and allow such things as symbolic links, hard links etc. +These extensions require a similarly enabled client, and are of +no current use to Windows clients. + +Default: \fBunix extensions = no\fR +.TP +\fBunix password sync (G)\fR +This boolean parameter controls whether Samba +attempts to synchronize the UNIX password with the SMB password +when the encrypted SMB password in the smbpasswd file is changed. +If this is set to true the program specified in the \fIpasswd +program\fRparameter is called \fBAS ROOT\fR - +to allow the new UNIX password to be set without access to the +old UNIX password (as the SMB password change code has no +access to the old password cleartext, only the new). + +See also \fIpasswd +program\fR, \fI passwd chat\fR. + +Default: \fBunix password sync = no\fR +.TP +\fBupdate encrypted (G)\fR +This boolean parameter allows a user logging +on with a plaintext password to have their encrypted (hashed) +password in the smbpasswd file to be updated automatically as +they log on. This option allows a site to migrate from plaintext +password authentication (users authenticate with plaintext +password over the wire, and are checked against a UNIX account +database) to encrypted password authentication (the SMB +challenge/response authentication mechanism) without forcing +all users to re-enter their passwords via smbpasswd at the time the +change is made. This is a convenience option to allow the change over +to encrypted passwords to be made over a longer period. Once all users +have encrypted representations of their passwords in the smbpasswd +file this parameter should be set to no. + +In order for this parameter to work correctly the \fIencrypt passwords\fR +parameter must be set to no when +this parameter is set to yes. + +Note that even when this parameter is set a user +authenticating to \fBsmbd\fR must still enter a valid +password in order to connect correctly, and to update their hashed +(smbpasswd) passwords. + +Default: \fBupdate encrypted = no\fR +.TP +\fBuse client driver (S)\fR +This parameter applies only to Windows NT/2000 +clients. It has no affect on Windows 95/98/ME clients. When +serving a printer to Windows NT/2000 clients without first installing +a valid printer driver on the Samba host, the client will be required +to install a local printer driver. From this point on, the client +will treat the print as a local printer and not a network printer +connection. This is much the same behavior that will occur +when \fBdisable spoolss = yes\fR. + +The differentiating +factor is that under normal circumstances, the NT/2000 client will +attempt to open the network printer using MS-RPC. The problem is that +because the client considers the printer to be local, it will attempt +to issue the OpenPrinterEx() call requesting access rights associated +with the logged on user. If the user possesses local administator rights +but not root privilegde on the Samba host (often the case), the OpenPrinterEx() +call will fail. The result is that the client will now display an "Access +Denied; Unable to connect" message in the printer queue window (even though +jobs may successfully be printed). + +If this parameter is enabled for a printer, then any attempt +to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped +to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() +call to succeed. \fBThis parameter MUST not be able enabled +on a print share which has valid print driver installed on the Samba +server.\fR + +See also disable spoolss + +Default: \fBuse client driver = no\fR +.TP +\fBuse mmap (G)\fR +This global parameter determines if the tdb internals of Samba can +depend on mmap working correctly on the running system. Samba requires a coherent +mmap/read-write system memory cache. Currently only HPUX does not have such a +coherent cache, and so this parameter is set to false by +default on HPUX. On all other systems this parameter should be left alone. This +parameter is provided to help the Samba developers track down problems with +the tdb internal code. + +Default: \fBuse mmap = yes\fR +.TP +\fBuse rhosts (G)\fR +If this global parameter is true, it specifies +that the UNIX user's \fI.rhosts\fR file in their home directory +will be read to find the names of hosts and users who will be allowed +access without specifying a password. + +\fBNOTE:\fR The use of \fIuse rhosts +\fRcan be a major security hole. This is because you are +trusting the PC to supply the correct username. It is very easy to +get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what +you are doing. + +Default: \fBuse rhosts = no\fR +.TP +\fBuser (S)\fR +Synonym for \fI username\fR. +.TP +\fBusers (S)\fR +Synonym for \fI username\fR. +.TP +\fBusername (S)\fR +Multiple users may be specified in a comma-delimited +list, in which case the supplied password will be tested against +each username in turn (left to right). + +The \fIusername\fR line is needed only when +the PC is unable to supply its own username. This is the case +for the COREPLUS protocol or where your users have different WfWg +usernames to UNIX usernames. In both these cases you may also be +better using the \\\\server\\share%user syntax instead. + +The \fIusername\fR line is not a great +solution in many cases as it means Samba will try to validate +the supplied password against each of the usernames in the +\fIusername\fR line in turn. This is slow and +a bad idea for lots of users in case of duplicate passwords. +You may get timeouts or security breaches using this parameter +unwisely. + +Samba relies on the underlying UNIX security. This +parameter does not restrict who can login, it just offers hints +to the Samba server as to what usernames might correspond to the +supplied password. Users can login as whoever they please and +they will be able to do no more damage than if they started a +telnet session. The daemon runs as the user that they log in as, +so they cannot do anything that user cannot do. + +To restrict a service to a particular set of users you +can use the \fIvalid users +\fRparameter. + +If any of the usernames begin with a '@' then the name +will be looked up first in the NIS netgroups list (if Samba +is compiled with netgroup support), followed by a lookup in +the UNIX groups database and will expand to a list of all users +in the group of that name. + +If any of the usernames begin with a '+' then the name +will be looked up only in the UNIX groups database and will +expand to a list of all users in the group of that name. + +If any of the usernames begin with a '&'then the name +will be looked up only in the NIS netgroups database (if Samba +is compiled with netgroup support) and will expand to a list +of all users in the netgroup group of that name. + +Note that searching though a groups database can take +quite some time, and some clients may time out during the +search. + +See the section NOTE ABOUT +USERNAME/PASSWORD VALIDATION for more information on how +this parameter determines access to the services. + +Default: \fBThe guest account if a guest service, +else <empty string>.\fR + +Examples:\fBusername = fred, mary, jack, jane, +@users, @pcgroup\fR +.TP +\fBusername level (G)\fR +This option helps Samba to try and 'guess' at +the real UNIX username, as many DOS clients send an all-uppercase +username. By default Samba tries all lowercase, followed by the +username with the first letter capitalized, and fails if the +username is not found on the UNIX machine. + +If this parameter is set to non-zero the behavior changes. +This parameter is a number that specifies the number of uppercase +combinations to try while trying to determine the UNIX user name. The +higher the number the more combinations will be tried, but the slower +the discovery of usernames will be. Use this parameter when you have +strange usernames on your UNIX machine, such as AstrangeUser +\&. + +Default: \fBusername level = 0\fR + +Example: \fBusername level = 5\fR +.TP +\fBusername map (G)\fR +This option allows you to specify a file containing +a mapping of usernames from the clients to the server. This can be +used for several purposes. The most common is to map usernames +that users use on DOS or Windows machines to those that the UNIX +box uses. The other is to map multiple users to a single username +so that they can more easily share files. + +The map file is parsed line by line. Each line should +contain a single UNIX username on the left then a '=' followed +by a list of usernames on the right. The list of usernames on the +right may contain names of the form @group in which case they +will match any UNIX username in that group. The special client +name '*' is a wildcard and matches any name. Each line of the +map file may be up to 1023 characters long. + +The file is processed on each line by taking the +supplied username and comparing it with each username on the right +hand side of the '=' signs. If the supplied name matches any of +the names on the right hand side then it is replaced with the name +on the left. Processing then continues with the next line. + +If any line begins with a '#' or a ';' then it is +ignored + +If any line begins with an '!' then the processing +will stop after that line if a mapping was done by the line. +Otherwise mapping continues with every line being processed. +Using '!' is most useful when you have a wildcard mapping line +later in the file. + +For example to map from the name admin +or administrator to the UNIX name root you would use: + +\fBroot = admin administrator\fR + +Or to map anyone in the UNIX group system +to the UNIX name sys you would use: + +\fBsys = @system\fR + +You can have as many mappings as you like in a username +map file. + +If your system supports the NIS NETGROUP option then +the netgroup database is checked before the \fI/etc/group +\fRdatabase for matching groups. + +You can map Windows usernames that have spaces in them +by using double quotes around the name. For example: + +\fBtridge = "Andrew Tridgell"\fR + +would map the windows username "Andrew Tridgell" to the +unix username "tridge". + +The following example would map mary and fred to the +unix user sys, and map the rest to guest. Note the use of the +\&'!' to tell Samba to stop processing if it gets a match on +that line. + +.sp +.nf + !sys = mary fred + guest = * + +.sp +.fi + +Note that the remapping is applied to all occurrences +of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you +will actually be connecting to \\\\server\\mary and will need to +supply a password suitable for mary not +fred. The only exception to this is the +username passed to the \fI password server\fR (if you have one). The password +server will receive whatever username the client supplies without +modification. + +Also note that no reverse mapping is done. The main effect +this has is with printing. Users who have been mapped may have +trouble deleting print jobs as PrintManager under WfWg will think +they don't own the print job. + +Default: \fBno username map\fR + +Example: \fBusername map = /usr/local/samba/lib/users.map +\fR.TP +\fButmp (G)\fR +This boolean parameter is only available if +Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to true then Samba will attempt +to add utmp or utmpx records (depending on the UNIX system) whenever a +connection is made to a Samba server. Sites may use this to record the +user connecting to a Samba share. + +See also the \fI utmp directory\fR parameter. + +Default: \fButmp = no\fR +.TP +\fButmp directory(G)\fR +This parameter is only available if Samba has +been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is +used to store the utmp or utmpx files (depending on the UNIX system) that +record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is +not set, meaning the system will use whatever utmp file the +native system is set to use (usually +\fI/var/run/utmp\fR on Linux). + +Default: \fBno utmp directory\fR +.TP +\fBvalid users (S)\fR +This is a list of users that should be allowed +to login to this service. Names starting with '@', '+' and '&' +are interpreted using the same rules as described in the +\fIinvalid users\fR parameter. + +If this is empty (the default) then any user can login. +If a username is in both this list and the \fIinvalid +users\fR list then access is denied for that user. + +The current servicename is substituted for \fI%S +\fR\&. This is useful in the [homes] section. + +See also \fIinvalid users +\fR +Default: \fBNo valid users list (anyone can login) +\fR +Example: \fBvalid users = greg, @pcusers\fR +.TP +\fBveto files(S)\fR +This is a list of files and directories that +are neither visible nor accessible. Each entry in the list must +be separated by a '/', which allows spaces to be included +in the entry. '*' and '?' can be used to specify multiple files +or directories as in DOS wildcards. + +Each entry must be a unix path, not a DOS path and +must \fBnot\fR include the unix directory +separator '/'. + +Note that the \fIcase sensitive\fR option +is applicable in vetoing files. + +One feature of the veto files parameter that it +is important to be aware of is Samba's behaviour when +trying to delete a directory. If a directory that is +to be deleted contains nothing but veto files this +deletion will \fBfail\fR unless you also set +the \fIdelete veto files\fR parameter to +\fIyes\fR. + +Setting this parameter will affect the performance +of Samba, as it will be forced to check all files and directories +for a match as they are scanned. + +See also \fIhide files +\fRand \fI case sensitive\fR. + +Default: \fBNo files or directories are vetoed. +\fR +Examples: +.sp +.nf +; Veto any files containing the word Security, +; any ending in .tmp, and any directory containing the +; word root. +veto files = /*Security*/*.tmp/*root*/ + +; Veto the Apple specific files that a NetAtalk server +; creates. +veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ +.sp +.fi +.TP +\fBveto oplock files (S)\fR +This parameter is only valid when the \fIoplocks\fR +parameter is turned on for a share. It allows the Samba administrator +to selectively turn off the granting of oplocks on selected files that +match a wildcarded list, similar to the wildcarded list used in the +\fIveto files\fR +parameter. + +Default: \fBNo files are vetoed for oplock +grants\fR + +You might want to do this on files that you know will +be heavily contended for by clients. A good example of this +is in the NetBench SMB benchmark program, which causes heavy +client contention for files ending in \fI.SEM\fR. +To cause Samba not to grant oplocks on these files you would use +the line (either in the [global] section or in the section for +the particular NetBench share : + +Example: \fBveto oplock files = /*.SEM/ +\fR.TP +\fBvfs object (S)\fR +This parameter specifies a shared object file that +is used for Samba VFS I/O operations. By default, normal +disk I/O operations are used but these can be overloaded +with a VFS object. The Samba VFS layer is new to Samba 2.2 and +must be enabled at compile time with --with-vfs. + +Default : \fBno value\fR +.TP +\fBvfs options (S)\fR +This parameter allows parameters to be passed +to the vfs layer at initialization time. The Samba VFS layer +is new to Samba 2.2 and must be enabled at compile time +with --with-vfs. See also \fI vfs object\fR. + +Default : \fBno value\fR +.TP +\fBvolume (S)\fR +This allows you to override the volume label +returned for a share. Useful for CDROMs with installation programs +that insist on a particular volume label. + +Default: \fBthe name of the share\fR +.TP +\fBwide links (S)\fR +This parameter controls whether or not links +in the UNIX file system may be followed by the server. Links +that point to areas within the directory tree exported by the +server are always allowed; this parameter controls access only +to areas that are outside the directory tree being exported. + +Note that setting this parameter can have a negative +effect on your server performance due to the extra system calls +that Samba has to do in order to perform the link checks. + +Default: \fBwide links = yes\fR +.TP +\fBwinbind cache time\fR +This parameter specifies the number of seconds the +winbindd(8)daemon will cache +user and group information before querying a Windows NT server +again. + +Default: \fBwinbind cache type = 15\fR +.TP +\fBwinbind enum users\fR +On large installations using +winbindd(8)it may be +necessary to suppress the enumeration of users through the +\fBsetpwent()\fR, +\fBgetpwent()\fR and +\fBendpwent()\fR group of system calls. If +the \fIwinbind enum users\fR parameter is +false, calls to the \fBgetpwent\fR system call +will not return any data. + +\fBWarning:\fR Turning off user +enumeration may cause some programs to behave oddly. For +example, the finger program relies on having access to the +full user list when searching for matching +usernames. + +Default: \fBwinbind enum users = yes \fR +.TP +\fBwinbind enum groups\fR +On large installations using +winbindd(8)it may be +necessary to suppress the enumeration of groups through the +\fBsetgrent()\fR, +\fBgetgrent()\fR and +\fBendgrent()\fR group of system calls. If +the \fIwinbind enum groups\fR parameter is +false, calls to the \fBgetgrent()\fR system +call will not return any data. + +\fBWarning:\fR Turning off group +enumeration may cause some programs to behave oddly. + +Default: \fBwinbind enum groups = yes \fR +.TP +\fBwinbind gid\fR +The winbind gid parameter specifies the range of group +ids that are allocated by the winbindd(8)daemon. This range of group ids should have no +existing local or NIS groups within it as strange conflicts can +occur otherwise. + +Default: \fBwinbind gid = <empty string> +\fR +Example: \fBwinbind gid = 10000-20000\fR +.TP +\fBwinbind separator\fR +This parameter allows an admin to define the character +used when listing a username of the form of \fIDOMAIN +\fR\\\fIuser\fR. This parameter +is only applicable when using the \fIpam_winbind.so\fR +and \fInss_winbind.so\fR modules for UNIX services. + +Example: \fBwinbind separator = \\\fR + +Example: \fBwinbind separator = +\fR +.TP +\fBwinbind uid\fR +The winbind gid parameter specifies the range of group +ids that are allocated by the winbindd(8)daemon. This range of ids should have no +existing local or NIS users within it as strange conflicts can +occur otherwise. + +Default: \fBwinbind uid = <empty string> +\fR +Example: \fBwinbind uid = 10000-20000\fR +.TP +\fBwinbind use default domain\fR +.TP +\fBwinbind use default domain\fR +This parameter specifies whether the winbindd(8) +daemon should operate on users without domain component in their username. +Users without a domain component are treated as is part of the winbindd server's +own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail +function in a way much closer to the way they would in a native unix system. + +Default: \fBwinbind use default domain = <falseg> +\fR +Example: \fBwinbind use default domain = true\fR +.TP +\fBwins hook (G)\fR +When Samba is running as a WINS server this +allows you to call an external program for all changes to the +WINS database. The primary use for this option is to allow the +dynamic update of external name resolution databases such as +dynamic DNS. + +The wins hook parameter specifies the name of a script +or executable that will be called as follows: + +\fBwins_hook operation name nametype ttl IP_list +\fR.RS +.TP 0.2i +\(bu +The first argument is the operation and is one +of "add", "delete", or "refresh". In most cases the operation can +be ignored as the rest of the parameters provide sufficient +information. Note that "refresh" may sometimes be called when the +name has not previously been added, in that case it should be treated +as an add. +.TP 0.2i +\(bu +The second argument is the NetBIOS name. If the +name is not a legal name then the wins hook is not called. +Legal names contain only letters, digits, hyphens, underscores +and periods. +.TP 0.2i +\(bu +The third argument is the NetBIOS name +type as a 2 digit hexadecimal number. +.TP 0.2i +\(bu +The fourth argument is the TTL (time to live) +for the name in seconds. +.TP 0.2i +\(bu +The fifth and subsequent arguments are the IP +addresses currently registered for that name. If this list is +empty then the name should be deleted. .RE - +.PP +An example script that calls the BIND dynamic DNS update +program \fBnsupdate\fR is provided in the examples +directory of the Samba source code. +.PP +.TP +\fBwins proxy (G)\fR +This is a boolean that controls if nmbd(8)will respond to broadcast name +queries on behalf of other hosts. You may need to set this +to yes for some older clients. + +Default: \fBwins proxy = no\fR +.TP +\fBwins server (G)\fR +This specifies the IP address (or DNS name: IP +address for preference) of the WINS server that nmbd(8)should register with. If you have a WINS server on +your network then you should set this to the WINS server's IP. + +You should point this at your WINS server if you have a +multi-subnetted network. + +\fBNOTE\fR. You need to set up Samba to point +to a WINS server if you have multiple subnets and wish cross-subnet +browsing to work correctly. + +See the documentation file \fIBROWSING.txt\fR +in the docs/ directory of your Samba source distribution. + +Default: \fBnot enabled\fR + +Example: \fBwins server = 192.9.200.1\fR +.TP +\fBwins support (G)\fR +This boolean controls if the +nmbd(8)process in Samba will act as a WINS server. You should +not set this to true unless you have a multi-subnetted network and +you wish a particular \fBnmbd\fR to be your WINS server. +Note that you should \fBNEVER\fR set this to true +on more than one machine in your network. + +Default: \fBwins support = no\fR +.TP +\fBworkgroup (G)\fR +This controls what workgroup your server will +appear to be in when queried by clients. Note that this parameter +also controls the Domain name used with the \fBsecurity = domain\fR +setting. + +Default: \fBset at compile time to WORKGROUP\fR + +Example: \fBworkgroup = MYGROUP\fR +.TP +\fBwritable (S)\fR +Synonym for \fI writeable\fR for people who can't spell :-). +.TP +\fBwrite cache size (S)\fR +If this integer parameter is set to non-zero value, +Samba will create an in-memory cache for each oplocked file +(it does \fBnot\fR do this for +non-oplocked files). All writes that the client does not request +to be flushed directly to disk will be stored in this cache if possible. +The cache is flushed onto disk when a write comes in whose offset +would not fit into the cache or when the file is closed by the client. +Reads for the file are also served from this cache if the data is stored +within it. + +This cache allows Samba to batch client writes into a more +efficient write size for RAID disks (i.e. writes may be tuned to +be the RAID stripe size) and can improve performance on systems +where the disk subsystem is a bottleneck but there is free +memory for userspace programs. + +The integer parameter specifies the size of this cache +(per oplocked file) in bytes. + +Default: \fBwrite cache size = 0\fR + +Example: \fBwrite cache size = 262144\fR + +for a 256k cache size per file. +.TP +\fBwrite list (S)\fR +This is a list of users that are given read-write +access to a service. If the connecting user is in this list then +they will be given write access, no matter what the \fIwriteable\fR +option is set to. The list can include group names using the +@group syntax. + +Note that if a user is in both the read list and the +write list then they will be given write access. + +See also the \fIread list +\fRoption. + +Default: \fBwrite list = <empty string> +\fR +Example: \fBwrite list = admin, root, @staff +\fR.TP +\fBwrite ok (S)\fR +Synonym for \fI writeable\fR. +.TP +\fBwrite raw (G)\fR +This parameter controls whether or not the server +will support raw write SMB's when transferring data from clients. +You should never need to change this parameter. + +Default: \fBwrite raw = yes\fR +.TP +\fBwriteable (S)\fR +An inverted synonym is \fIread only\fR. + +If this parameter is no, then users +of a service may not create or modify files in the service's +directory. + +Note that a printable service (\fBprintable = yes\fR) +will \fBALWAYS\fR allow writing to the directory +(user privileges permitting), but only via spooling operations. + +Default: \fBwriteable = no\fR +.SH "WARNINGS" +.PP +Although the configuration file permits service names +to contain spaces, your client software may not. Spaces will +be ignored in comparisons anyway, so it shouldn't be a +problem - but be aware of the possibility. +.PP +On a similar note, many clients - especially DOS clients - +limit service names to eight characters. smbd(8) +has no such limitation, but attempts to connect from such +clients will fail if they truncate the service names. For this reason +you should probably keep your service names down to eight characters +in length. +.PP +Use of the [homes] and [printers] special sections make life +for an administrator easy, but the various combinations of default +attributes can be tricky. Take extreme care when designing these +sections. In particular, ensure that the permissions on spool +directories are correct. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +samba(7), +\fBsmbpasswd(8)\fR, +\fBswat(8)\fR, +\fBsmbd(8)\fR, +\fBnmbd(8)\fR, +\fBsmbclient(1)\fR, +\fBnmblookup(1)\fR, +\fBtestparm(1)\fR, +\fBtestprns(1)\fR +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter |